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About This Guide 


Novell® BorderManager™ Enterprise Edition 3.5 Installation and Setup 
provides the basic information you need to set up Virtual Private Network 
(VPN). 


This documentation provides the following additional information: 


° Chapter 1, “Advanced Configuration of Virtual Private Networks,” on 
page 1 


This chapter describes the procedures you need to set up and configure 
various VPN features and parameters. 


° Chapter 2, “Managing Virtual Private Networks,” on page 71 


This chapter describes how to set up VPN logging and describes the 
information found in the VPN logs. 
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chapter 


Advanced Configuration of Virtual 
Private Networks 


This chapter explains the advanced configuration tasks for the Virtual Private 
Network (VPN) component of the Novell® BorderManager™ software. Note 
that these tasks require preparatory steps provided in Novell BorderManager 
Enterprise Edition 3.5 Installation and Setup. For in-depth information to help 
you plan your VPN configuration, refer to Novell BorderManager Enterprise 
Edition 3.5 Overview and Planning. 


Note Configuration procedures use words like Add and Browse for the icon buttons in 
the interface. 


This chapter contains the following sections: 

° “Merging NDS across a VPN” on page 1 

° “Performance Tuning for VPNs” on page 2 
° “Setting Up Site-to-Site VPNs” on page 2 


° “Setting Up Client-to-Site VPNs” on page 42 


Merging NDS across a VPN 


The procedure for merging NDS™ across a VPN is the same as for any other 
network. Refer to the NetWare® online documentation for detailed instructions 
for merging NDS across a LAN or WAN. 
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Performance Tuning for VPNs 


Because VPN performance is mostly determined by the routers on the Internet, 
you are limited to tuning each VPN server's Internet Service Provider (ISP) 
connection to increase your VPN's performance. Depending on which path is 
used through the Internet, increasing the bandwidth of your ISP connections 
might or might not improve the performance of your VPN. However, if a slow 
link exists, try the following adjustments: 


° Tune the Internetwork Packet Exchange™ (IPX™) timeouts for the 
client and for the server using NIASCFG. 


° Increase the IPX application timeouts. 

° Increase the TCP/IP application timeouts. 

° Turn off UDP checksumming. 

° Use the NetWare Link Services Protocol™ (NLSP™) software instead of 
the Routing Information Protocol (RIP) and Service Advertising 


Protocol (SAP) for IPX. 


e Increase the number of packet receive buffers as allowed by the amount 
of available memory. 


Setting Up Site-to-Site VPNs 


This section explains the tasks you complete to configure a site-to-site VPN. 
This section contains procedures for the following: 


G “General Configuration Task Using VPNCFG” on page 3 


° “General Configuration Tasks Using NetWare Administrator” on page 5 
° “Setting Up Implementation-Specific Site-to-Site Configurations” on 
page 16 
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General Configuration Task Using VPNCFG 


This section explains the advanced configuration task for a site-to-site VPN 
using the VPNCFG utility. Use VPNCFG to regenerate the encryption 
information. 


Regenerating the Encryption Information 


To maintain security, we recommend that you regenerate the encryption 
information every six months after the initial configuration of the VPN. To 
regenerate the encryption information, complete the following steps: 


1. 


At the master server console prompt, enter 


LOAD VPNCFG 
Select Master Server Configuration. 


Generate the master server encryption information. 
3a. Select Generate Encryption Information. 


3b. Enter up to 255 characters for the random seed. 


There is no need to record this value. The software uses this value 
to help randomize the master server RSA public and private keys 
and the master server Diffie-Hellman public and private values that 
it generates. 


Copy the master encryption information file IMINFO.VPN) to 
diskette or save it to a local hard disk. 


4a. Select Copy Encryption Information. 


4b. Enter the path in which you want to save the master encryption 
information file. 


Give the MINFO.VPN file to the network administrator of each 
slave server you want to add to the VPN. 


You can either send the diskette containing the file by surface mail or 
send the file as an e-mail attachment. There is no danger of 
compromising security if the file is intercepted because it cannot be 
interpreted without the slave server's RSA public and private keys and 
Diffie-Hellman public and private values. 
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Exit VPNCFG. 


7. Load VPNCFG on the slave server. 
8. Select Slave Server Configuration. 
9. Generate the slave server encryption information. 
9a. Select Generate Encryption Information. 
9b. Enter the location of the master encryption information file 
(MINFO.VPN). 
9c. Contact the master server administrator and verify that you 
have the same digest values. 
Having the same digest values ensures the authenticity of the 
MINFO.VPN file. 
Important If the message digest values do not match, the encrypted tunnel between the 


slave and master servers cannot be created. In this case, the master server 
administrator must provide a new MINFO.VPN file. 


10. 
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9d. 


9e. 


Ask the master server administrator to select Authenticate 
Encryption Information to authenticate the MINFO.VPN file. 


To authenticate this file, the administrator must load VPNCFG and 
select the following menu path: 


Master Server Configuration > Authenticate Encryption 
Information 


If the MINFO.VPN file is valid, enter up to 255 characters for 
the random seed. 


There is no need to record this value. The software uses this value 
to help randomize the Diffie-Hellman public and private values 
that it generates for the slave server. 


Copy the slave encryption information file (SINFO.VPN) to diskette 
or save it to a local hard disk. 


10a. 


10b. 


Select Copy Encryption Information. 


Enter the path or name of the file in which you want to save the 
slave encryption information file. The default is 
A:\SINFO.VPN. 


Hint Rename your SINFO.VPN file to a name such as SINFO_S1.VPN. This enables 
the master server administrator to collect all slave encryption information files in 
a single directory without overwriting them. You can also use a server or location 
name when renaming the SINFO.VPN file. 


11. Give your slave encryption information file to the master server 
administrator. 


You can either send the diskette containing the file by surface mail, or 
send the file as an e-mail attachment. There is no danger of 
compromising security if the file is intercepted because it contains only 
public information. Any alteration of the file can be detected by verifying 
the message digest when the master server adds the slave server to the 
VPN. 


12. Press Esc until you exit VPNCFG. 


13. Use NetWare® Administrator to remove all slave servers and add 
them back again. 


For more information, refer to Novell® BorderManager™ Enterprise 
Edition 3.5 Installation and Setup. 


General Configuration Tasks Using NetWare Administrator 


This section explains the advanced configuration tasks for a site-to-site VPN 
using the NetWare Administrator utility. Use NetWare Administrator to 
complete the following tasks: 


“Selecting Network Protocols on Your VPN” on page 6 
° “Specifying Networks Protected by a Site-to-Site VPN” on page 7 


° “Selecting Data Encryption and Data Authentication Methods” on 
page 8 


° “Selecting Your VPN Topology” on page 9 


° “Selecting Whether the Connection Is Initiated from One Side or Both 
Sides” on page 10 


° “Adjusting the VPN Server Response Timeout” on page 11 


° “Tuning Master-Slave Server Synchronization” on page 11 
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“Removing a Slave Server from a VPN” on page 12 


“Adding a Server that Is a Member of Another VPN” on page 13 


Selecting Network Protocols on Your VPN 
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With Novell BorderManager, you can select the network protocols—IP and 
IPX—that are encrypted and sent over the VPN tunnel. 


This capability offers the following advantages: 


You can temporarily suspend IPX or IP traffic without bringing down the 
VPN. 


You can choose to run only one protocol over the VPN, even if your 
intranet uses both. This capability also conserves server resources and 
network bandwidth on intranets that use only one network protocol. 


Both protocols are tunneled by default. 


Important Disabling both IPX and IP effectively disables the VPN without bringing it down. 


To enable or disable protocol tunneling on your VPN, complete the following 


steps: 


1. 
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In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


Click the VPN tab. 
Double-click Master Site-to-Site under Enable Service. 
Click Control Options. 


Check the check box for the network protocol you want to enable. 


A checked box indicates that the protocol will be encrypted and sent over 
the VPN tunnel. 


Click OK until you exit the NetWare Administrator utility. 


Exiting the NetWare Administrator utility triggers a VPN 
synchronization. If you plan to perform additional VPN configuration 
tasks, you can trigger a synchronization immediately by clicking Status, 
then clicking Synchronize All. 


Specifying Networks Protected by a Site-to-Site VPN 


Important 


For each VPN server, you can specify the addresses of one or more local IP 
networks or hosts that can exchange encrypted data across the VPN. This is 
equivalent to setting up static routes for encrypted data. When you synchronize 
the VPN, the static routes are automatically added to the routing tables of the 
other VPN servers, which use the routes to forward encrypted data to the server. 


The alternative to using static routes to determine which networks can 
exchange encrypted data is using dynamic routing across the VPN. For a 
description of the advantages and disadvantages of using static routes, refer to 
Novell BorderManager Enterprise Edition 3.5 Overview and Planning. 


You must set up all static routes for protected networks on VPN servers using 
the NetWare Administrator utility, not the NIASCFG utility. Any static routes you 
set up from NIASCFG with a tunnel address as the next-hop router are removed 
from the VPN server routing tables when a VPN resynchronization occurs. 


To specify an address of a local private network or host that you want to be 
protected by a particular server, complete the following steps: 


1. In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


2. Click the VPN tab. 
3. Double-click Master Site-to-Site under Enable Service. 


4. Inthe VPN Members list box, double-click the VPN server you want 
to set up. 


5. To use RIP to dynamically determine which networks are protected 
by this server, select Enable IP RIP. 


6. To statically configure the list of networks protected by this VPN 
server, complete the following substeps: 


6a. Click Add. 
6b. Select Network or Host. 


6c. Enter the IP network address and subnet mask of the network 
or host that you want to be protected by this server. 


6d. Click OK. 
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Note 


6e. Specify any additional protected networks, then click OK to 
return to the main VPN page. 


At this point, your master server recognizes the slave server, but the slave 
server has not been updated yet with the VPN configuration information. The 
slave server must be updated in order for the VPN to come up. Make sure that 
the master and slave servers can communicate using IP before synchronizing 
the servers. 


7. To update all VPN members with the entire VPN configuration, 
complete the following substeps: 
7a. From the main VPN page, click Status. 


7b. Click Synchronize All to update all VPN members with the 
current configuration. 


This might take some time, depending on the number of members 
that must be updated. When the process is complete, all members 
should have a status of Up-to-Date. 


7c. Ifany VPN server remains with a status of Being configured, 
select that VPN server, then check the audit log for 
configuration errors. 


7d. Click OK. 
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The preferred data encryption and authentication methods are used during 
negotiation between the two sides of a VPN connection to determine the actual 
methods that are used for the connection. The preferred data encryption and 
authentication methods for the server apply to both site-to-site and client-to- 
site connections. 


To change the preferred values used to negotiate the methods of data 
encryption and data authentication, complete the following steps: 


1. In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


2. Click the VPN tab. 


3. Double-click Master Site-to-Site under Enable Service. 
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4. Inthe VPN Members list box, double-click the VPN server you want 
to set up. 


5. Select an option for the Preferred Encryption Method parameter. 


6. Select an option for the Preferred Authentication Method 
parameter. 


7. Specify a value for the Data Encryption Key Change Interval 
parameter. 


8. Click OK until you exit the NetWare Administrator utility. 


Exiting the NetWare Administrator utility triggers a VPN 
synchronization. If you plan to perform additional VPN configuration 
tasks, you can trigger a synchronization immediately by clicking Status, 
then clicking Synchronize All. 


Selecting Your VPN Topology 


With BorderManager, you can select from one of the following topologies to 
use with your VPN: 


° Mesh (default) 


In this topology, all VPN members have connections to each other. 


° Star 


In this topology, all VPN members have connections only to the master 
server. 


° Ring 


In this topology, each VPN member has connections to two of its 
neighbors. 


To select the topology for your VPN, complete the following steps: 


1. In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


2. Click the VPN tab. 


3. Double-click Master Site-to-Site under Enable Service. 
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4. Click Control Options. 
5. Check the check box for the type of topology you want to use. 


6. Click OK until you exit the NetWare Administrator utility. 


Exiting the NetWare Administrator utility triggers a VPN 
synchronization. If you plan to perform additional VPN configuration 
tasks, you can trigger a synchronization immediately by clicking Status, 
then clicking Synchronize All. 


Selecting Whether the Connection Is Initiated from One Side or Both Sides 


With BorderManager, you can specify whether a connection between two VPN 
servers is always initiated by only one server or is initiated by either server. 


Selecting One Side indicates that a connection made between two servers is 
always initiated by one server. This setting typically results in faster calls. 
Selecting Both Sides allows either server to initiate the connection. However, 
if two servers initiate a connection to each other simultaneously, the connection 
takes longer to be established. In this case, the longer connection time is caused 
by the servers negotiating which one initiated the connection first. 


To specify whether a connection between two VPN servers can be initiated by 
only one server or either server, complete the following steps: 


1. In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


2. Click the VPN tab. 

3. Double-click Master Site-to-Site under Enable Service. 
4. Click Control Options. 

5. Check the check box for One Side or for Both Sides. 


6. Click OK until you exit the NetWare Administrator utility. 


Exiting the NetWare Administrator utility triggers a VPN 
synchronization. If you plan to perform additional VPN configuration 
tasks, you can trigger a synchronization immediately by clicking Status, 
then clicking Synchronize All. 
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Adjusting the VPN Server Response Timeout 


The response timeout determines how long an individual VPN server waits for 
a response from another server before terminating the connection. Increasing 
the response timeout can help to maintain connectivity between servers if the 
link between them is slow. 


To adjust the response timeout for a VPN server, complete the following steps: 


1. In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


2. Click the VPN tab. 
3. Double-click Master Site-to-Site under Enable Service. 


4. Inthe VPN Members list box, double-click the VPN server you want 
to configure. 


5. Enter the response timeout. 


6. Click OK until you exit the NetWare Administrator utility. 


Exiting the NetWare Administrator utility triggers a VPN 
synchronization. If you plan to perform additional VPN configuration 
tasks, you can trigger a synchronization immediately by clicking Status, 
then clicking Synchronize All. 


Tuning Master-Slave Server Synchronization 


On a VPN, the master server communicates with the slave servers to ensure 
that they maintain the same information about the VPN topology and use the 
current public encryption keys. For this purpose, you can customize the Update 
Interval, Connect Timeout, and Response Timeout parameters. Tuning these 
parameters represents a balance between quick convergence of the VPN and 
the traffic and CPU overhead. 


If your servers and ISP connections are working properly, the default timeout 


values are adequate to enable your VPN to synchronize in the shortest possible 
amount of time. 
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To tune master-slave server synchronization, complete the following steps: 


1. 


In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


Click the VPN tab. 
Double-click Master Site-to-Site under Enable Service. 
Click Control Options. 


Enter values for the Update Interval, Response Timeout, and 
Connect Timeout parameters. 


Values for the Update Interval and Response Timeout parameters range 
from 0 to 5 hours and 59 minutes. The Connect Timeout parameter value 
ranges from 0 to 20 hours and 59 minutes. 


Click OK until you exit the NetWare Administrator utility. 


Exiting the NetWare Administrator utility triggers a VPN 
synchronization. If you plan to perform additional VPN configuration 
tasks, you can trigger a synchronization immediately by clicking Status, 
then clicking Synchronize All. 


Removing a Slave Server from a VPN 


When you remove a slave server from a VPN, the master server distributes an 
updated VPN members list to the remaining slave servers. The master server 
also sends a request to the removed server to detach itself from the VPN. 


Note You cannot remove the master server from a VPN. 


To remove a slave server from a VPN, complete the following steps: 


1. 
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Verify that the slave server you want to remove does not have 
INETCFG loaded. 


If INETCFG is loaded when the VPN slave server is removed, the 
remaining slave servers will not synchronize properly. 


In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


Click the VPN tab. 


4. Double-click Master Site-to-Site under Enable Service. 


5. In the VPN Members list box, click the slave server you want to 
remove. 


6. Click Delete in the VPN Members list box. 
7. Click Status. 
8. Click Synchronize All, then click OK. 


9. After the VPN has synchronized, go to the slave server and remove 
the VPN configuration from the slave, as follows: 


9a. Load VPNCFG. 


9b. Select Remove VPN Server Configuration. 


Adding a Server that Is a Member of Another VPN 


Important 


A VPN server that is a member of another VPN can also be included in your 
VPN using the multiple tunnel support provided by Novell BorderManager. 


The tunnel connection to the third-party VPN server is an IP-only connection. 
Only the local VPN server that is associated with the third-party VPN server can 
exchange encrypted information with the third-party VPN server. 


For third-party servers to function, your local VPN must use a mesh topology. If 
the third-party VPN is running Novell BorderManager VPN software, it must also 
use a mesh topology. 


When adding a third-party server to your VPN, the administrators of both VPN 
servers must configure the same authentication or encryption algorithms or the 
encrypted tunnel will not be established. Your local VPN server will not negotiate 
authentication or encryption algorithms with a third-party slave server, even if 
the third-party server is also running Novell BorderManager VPN software. 


Servers that are members of two VPNs are managed differently than servers 
that are members of just one VPN. Refer to the Virtual Private Network online 
documentation for more information. 
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Adding a Third-Party VPN Server that Is Not Running Novell 
BorderManager Software 


If the 


third-party VPN is running another vendor’s VPN software, you must 


create anew SINFO.VPN file and complete the procedure for adding a server 
to a VPN, as described in Novell BorderManager Enterprise Edition 3.5 
Installation and Setup. Create a new SINFO.VPN file with the following 
fields: 
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Major version number—Should always be set to 1. 
Minor version number—Should always be set to 5. 


Server name—Arbitrary name assigned to the third-party server. You can 
pick any name for convenience. 


Master or slave [D—Should always be set to 1. 
Public IP address—Public IP address of the third-party server. 


Public IP address mask—Public IP address mask of the third-party 
server. 


Private IP address—Not used. Should always be set to 0.0.0.0. 

Private IP address mask—Not used. Should always be set to 0.0.0.0. 
Tunnel IP address—IP address of the VPN tunnel that you want to assign 
to the third-party server. The address must belong to the same IP network 


as the local VPN’s tunnel address. 


Tunnel mask—Should be set to match the mask of your local VPN 
tunnel. 


Public value length—Length of the third-party server’s Diffie-Hellman 
public value, in bytes. 


Public value in BER—Third-party server’s Diffie-Hellman public value, 
in BER format. 1024-bit values are supported. 


Security capabilities—Decimal equivalent of a 32-bit binary integer you 
must compute using the following bit values: 


° Bit 0—If you are using the export version of the VPN software, set 
this bit to 1. Otherwise set it to 0. 


° Bit 1—If Keyed_MDS is supported, set this bit to 1. Otherwise, set 
it to 0. 


° Bit 2—If Keyed_SHA 1 is supported, set this bit to 1. Otherwise, 
set it to 0. 


° Bit 3—If HMAC_MDS5 is supported, set this bit to 1. Otherwise, 
set it to 0. 


° Bit 4—If HAC_SHA1 is supported, set this bit to 1. Otherwise, set 
it to 0. 


° Bit 5 to bit 15—-Set these bits to 0. 


° Bit 16—If DES-CBC is supported, set this bit to 1. Otherwise, set 
it to 0. 


° Bit 17—If 3DES-CBC is supported, set this bit to 1. Otherwise, set 
it to 0. 


° Bit 18—If RC5-CBC is supported, set this bit to 1. Otherwise, set 
it to 0. 


° Bit 19—If RC2-CBC is supported, set this bit to 1. Otherwise, set 
it to 0. 


° Bit 20 to bit 29—-Set these bits to 0. 


° Bit 30—Set this bit to 1. 


° Flag to indicate third-party—Should always be set to 1 to indicate that 
the server is a member of a third-party VPN. 


° Local VPN member—Name of your local VPN server that is directly 
connected to the third-party VPNs server. This is the only local server to 
which the third-party VPN server can be connected. 


Adding a Third-Party VPN Server that Is Running Novell 
BorderManager Software 


If the third-party VPN is running Novell BorderManager, you must generate 
the third-party’s encryption information, as described in Novell 

BorderManager Enterprise Edition 3.5 Installation and Setup. Edit the third- 
party’s SINFO.VPN file, and complete the procedure for adding a server to a 
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VPN, as described in Novell BorderManager Enterprise Edition 3.5 
Installation and Setup. To edit the third-party’s SINFO. VPN file, obtain the file 
from the other VPN’s administrator and change the values of only the 
following fields: 


° Server name—Arbitrary name assigned to the third-party server. You can 
pick any name for convenience. 


° Tunnel IP address—IP address of the VPN tunnel that you want to assign 
to the third-party server. The address must belong to the same IP network 
as the local VPN’s tunnel address. 


Important This field must be changed from the third-party server’s VPN tunnel address to 
the VPN tunnel address of your local server. 


° Tunnel mask—Should be set to match the mask of your local VPN 
tunnel. 


Important This field must be changed from the third-party server's VPN tunnel mask to the 
VPN tunnel mask of your local server. 


° Flag to indicate third-party—Should always be set to 1 to indicate that 
the server is a member of a third-party VPN. 


° Local VPN member—Name of your local VPN server that is directly 
connected to the third-party VPNs server. This is the only local server to 
which the third-party VPN server can be connected. 


Note This field is not present in the SINFO.VPN file that you receive from the third- 
party VPN. Therefore, you must add the field after the Flag to indicate third-party 
field. 


Important Do not change the Security Capabilities field in the server's SINFO.VPN file. 
Setting Up Implementation-Specific Site-to-Site Configurations 
This section describes implementation-specific examples for site-to-site VPNs. 
Some of these examples require that you complete the preparatory steps 
provided in Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup. For in-depth information to help you plan your VPN configuration, refer 
to Novell BorderManager Enterprise Edition 3.5 Overview and Planning. 


Site-to-site VPNs can be implemented in the following ways: 


° To exchange secure information over the Internet 
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In this case, VPN servers at two or more remote sites use the Internet to 
exchange encrypted confidential information. The VPN servers can 
connect directly to the Internet, or connect through an existing firewall 
or high-speed router. Examples of both are provided in this section. In 
these examples, it is assumed that you selected the Setup BorderManager 
for Secure Access to Public Interface option during BorderManager 
installation. 


° To exchange secure information within a private network 


In this case, a VPN is set up on a corporate intranet or private network to 
exchange encrypted information. An example of this case is provided in 
this section. 


Note For additional information, see the BorderManager FAQ at support.novell.com/ 
cgi-bin/search/tidfinder.cgi?2926411. If you are using the Novell 
Knowledgebase search function, the TID number is 2926411. 


This section contains the following topics: 
° “Using the VPN Server as a Border Server” on page 17 
° “Using the VPN Server behind a Firewall” on page 27 


° “Setting Up a VPN within a Private Network” on page 35 


Using the VPN Server as a Border Server 


This section discusses the following two possible scenarios for using the VPN 
server as a border server: 


° VPN servers using the same network for both public and private 
addresses 


° VPN servers using different networks for both public and private 
addresses 
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VPN Servers Using the Same Network for Both Public and Private 
Addresses 


In this example, the company has offices at two remote sites: San Jose and 
Athens, as shown in Figure 1-1 on page 19. The Finance and corporate offices 
are in San Jose, and the Accounting office is in Athens. At each office, the 
public and private addresses are on a different subnet of the same Class B IP 
network address. Both offices must share data without allowing other users on 
networks that are not protected by the VPN servers to access the data from 
within the company or through the Internet. 


At both sites, the VPN server is connected directly to the Internet and is being 
used as the border server. The following procedure shows you how to connect 
the two remote sites in this example by setting up the two border servers as 
VPN servers and using an encrypted tunnel to send data between the sites. 
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Figure 1-1 

Remote Sites Using the Same Network for Both 
Public and Private Addresses that Are Linked by 
VPN Nodes Connected Directly to the Internet 
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To connect two remote Internet sites using a VPN, complete the following 


steps: 


1. 


Choose a master server for your VPN. 


In this example, the San Jose site is selected because the corporate office 
has the Corporate Information Services staff, who are better equipped to 
manage the VPN. 


Contact an ISP and arrange for Internet connectivity. Write down 
the public IP address and subnet mask that the ISP provides you. 


Note Repeat this step for each site that will be a part of the VPN. 


In this example, the public IP address and subnet mask for the VPN 
master server in San Jose are 135.27.180.1 and FF.FF.FC.0, respectively. 
The public IP address and subnet mask for the VPN slave server in 
Athens are 135.145.188.25 and FF.FF.FC.0, respectively. 


Choose an IP address and subnet to use for your VPN tunnel 
interface. 


Because this address will never be sent over the Internet, it can be any 
unregistered address, for example, 10.0.0.1 and FF.0.0.0 for the master 
server, and 10.0.0.2 and FF.0.0.0 for the slave server. 


Note The master server and all slave servers must use IP addresses on the same 


netwo 


4. 
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rk or subnet for the VPN tunnel interfaces. 


Install the NetWare and BorderManager software on your master 
server. 


Use NIASCFG to configure the protocols and routing on your 
master server as follows: 


° Configure a WAN interface to connect to your ISP. 
° Create a WAN call configuration to connect to your ISP. 
° Enable TCP/IP. 


° Bind TCP/IP to the WAN interface that connects your VPN server 
to your ISP (135.27.180.1). This interface must have a registered 
IP address. 


° Reinitialize the system to make these changes take effect. 


Establish a connection to your ISP and verify that the master server 
can communicate with the ISP router. 


Do this before you add the VPN. Before testing the connection, you must 
verify that the BorderManager filters are configured to allow Internet 
Control Message Protocol (ICMP) packets through. After testing, the 
filters should be returned to their previous configuration. If you 
configured your call as Permanent-Automatic, the server should connect 
to your ISP immediately after you reinitialize the system. If you 
configured your call as any other type, you might need to initiate the call 
yourself by loading CALLMGR at the console and initiating an IP WAN 
call to your ISP. After the call is connected, ping the ISP router by 
entering LOAD PING at the console prompt and entering the IP address 
of the router (provided by the ISP). If you can ping the ISP router, you 
are connected to the ISP and should be able to reach any location on the 
Internet, including your other sites after they are connected. 


Use VPNCFG to configure your VPN master server. Make sure you 
do the following: 


° Specify the public IP address and subnet mask. In this example, 
specify 135.27.180.1 for the public IP address, and FF.FF.FC.0 for 
the subnet mask. 


° Specify the VPN tunnel IP address and subnet mask. In this 
example, specify 10.0.0.1 for the VPN tunnel IP address, and 
FF.0.0.0 for the subnet mask. 


Note VPNCFG automatically adds some filters to prevent the IP address of the VPN 
tunnel from being sent through the public interface, and to prevent the public IP 
address from being sent through the tunnel interface. 


10. 


° Generate encryption information for the VPN master server. 
ë Copy the encryption information to a diskette. 


Refer to Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup or the online help for the procedure to set up the master server. 


If you did not select the Setup BorderManager for Secure Access to 
the Public Interface option during installation, load BRDCFG and 


select this option. 


Send the MINFO.VPN file with the master encryption information 
to the administrator configuring the VPN slave server. 


Repeat Step 4, Step 5, Step 6, and Step 8 for the slave server. 
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11. 


12. 


13. 


At the VPN slave server, use VPNCFG to configure the VPN slave 
server. Make sure you do the following: 


° Specify the public IP address and subnet mask. In this example, 
specify 135.145.188.25 for the public IP address, and FF.FF.FC.0 
for the subnet mask. 


° Specify the VPN tunnel IP address and subnet mask. In this 
example, specify 10.0.0.2 for the VPN tunnel IP address, and 
FF.0.0.0 for the subnet mask. 


° Generate encryption information for the VPN slave server using 
the master encryption information file (MINFO.VPN). Call the 
master server administrator and verify that the digest values match. 


° Copy the slave encryption information to a file. 


Refer to Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup or the online help for the procedure to set up the slave server. 


Send the SINFO.VPN file with the slave encryption information 
back to the administrator configuring the VPN master server. 


At the administrative workstation, install the BorderManager snap- 
in for the NetWare Administrator utility if it has not already been 
installed. 


The installation program for this utility (SETUP.EXE) is in the 
\PUBLIC\BRDMGR\SNAPINS directory on the SYS: volume of your 
server after BorderManager has been installed. 


Note Perform this step from a client that is authenticated to the NDS™ tree in which 
the VPN master server resides. The machine must be logged in with Supervisor 


rights 


to the VPN master server. If this is the first VPN server or border server 


on this tree, then Supervisor rights to the root directory are required in order to 
extend the NDS schema. 


14. 


15. 


16. 
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In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


Click the VPN tab. 


Double-click Master Site-to-Site under Enable Service. 


Your master server should be listed in the VPN Members list. For 
example, if you named the master server Corporate, you should see 


17. 


18. 


19. 


20. 


21. 


Corporate displayed as a VPN member with an IP address of 
135.27.180.1, as configured in Step 7. 


Manually configure a list of networks protected by this VPN master 
server. 


In this example, a list of protected networks must be configured for all 
VPN servers even if Enable IP RIP is selected. Because the public and 
private networks are subnets of the same network, the RIP packets that 
pass through the VPN tunnel interface are blocked by the default VPN 
filters. Because the routes to the protected networks cannot be learned 
using RIP, a list of protected networks must be configured manually. 


In this example, you can specify the 135.27.188.0 network as a protected 
network by completing the following substeps: 


17a. Double-click the slave server to view details for that server. 
17b. Click Add. 

17c. Select Network. 

17d. Enter 135.127.188.0 for the IP network address. 

17e. Enter FF.FF.FC.0 for the subnet mask. 

17f. Click OK. 


17g. Specify any additional protected networks, then click OK to 
return to the main VPN page. 


Click Add to add the slave server to the VPN Members list. 


Specify the name and pathname for the slave encryption information 
file (SINFO.VPN). 


Ask the administrator of the VPN slave server to use VPNCFG to 
authenticate the encryption information and verify that the message 
digest values match. Click Yes if the values match. 


To authenticate the encryption information using VPNCFG, select 
Authenticate Encryption Information. 


Click Yes to manually configure a list of networks protected by this 
VPN slave server. 
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In this example, a list of protected networks must be configured for all 
VPN servers even if Enable IP RIP is selected. Because the public and 
private networks are subnets of the same network, the RIP packets that 
pass through the VPN tunnel interface are blocked by the default VPN 
filters. Because the routes to the protected networks cannot be learned 
using RIP, a list of protected networks must be configured manually. 


In this example, you can specify the 135.145.180.0 network as a 
protected network by completing the following substeps: 


21a. Double-click the slave server to view details for that server. 
21b. Click Add. 

21c. Select Network. 

21d. Enter 135.145.180.0 for the IP network address. 

21e. Enter FF.FF.FC.0 for the subnet mask. 

21f. Click OK. 


21g. Specify additional protected networks and modify other VPN 
parameters as needed, then click OK to return to the main 
VPN page. 


Note At this point, your master server recognizes the slave server, but the slave 
server has not been updated yet with the VPN configuration information. The 
slave server must be updated in order for the VPN to be brought up. Make sure 
that the master and slave servers are attached to the Internet through their 
respective ISPs so that they can communicate with each other and the master 
server can update the slave server. 


22. 
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Update all VPN members with the entire VPN configuration as 
follows: 


22a. From the main VPN page, click Status. 


22b. Click Synchronize All to update all VPN members with the 
current configuration. 


This might take some time, depending on the types of Internet 
connections and the number of members that must be updated. 
When the process is completed, all members should have a status 
of Up-to-Date. 


22c. If any VPN members remain with a status of Being 
Configured, select the member or master, then check the audit 
log for configuration errors. 


22d. Click OK. 


The VPN is now set up between two sites. You can add more sites 
and update all members at the same time. To add another site, 
repeat Step 9 through Step 22. 


Note that the firewall's public IP address must be prevented from being 
advertised through the VPN tunnel interface. If it is learned through this 
interface, packets destined for the public IP address will pass through the VPN 
tunnel interface and never arrive. 


From a routing standpoint, the VPN tunnel interface is just another interface. 
One attribute of this interface is that all routes that are advertised through it add 
a cost of only one. Because the VPN tunnel interface provides the lowest cost 
to any network or host that advertises through it, all future access to that 
network or host will be through the VPN tunnel interface, in which case the 
data is encrypted. However, because the networks learned through the VPN 
tunnel interface can be advertised by the public interface, you might want to 
configure filters to prevent the networks from being advertised. 


In this example, the VPN server is directly connected to the Internet. You must 
configure this machine as a firewall to secure the server and machines behind 
it. You should implement basic filtering using TCP/IP RIP filters and TCP/IP 
packet forwarding filters. If you do not want any clients to access the Internet, 
set all parameters to Deny, and allow only traffic that must pass through. If you 
selected the Setup BorderManager for Secure Access to Public Interface option 
during installation, these filters are already set for you and you are not required 
to perform any further configuration. 


VPN Servers Using Different Networks for Public and Private 
Addresses 


As shown in Figure 1-2 on page 26, this scenario is the same as the previous 
scenario, except that the public and private addresses use different Class B IP 


addresses at each office. 


The procedure for this scenario is almost the same as for the previous scenario, 
with the following differences: 


° Use FF.FF.F0.0 for the network masks of the public interfaces. 


° Instead of configuring a list of protected networks in Step 17 and Step 21, 
select Enable IP RIP to configure the use of a dynamic routing protocol. 
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Figure 1-2 

Remote Sites Using Different Networks for Public 
and Private Addresses that Are Linked by VPN 
Nodes Connected Directly to the Internet 
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Using the VPN Server behind a Firewall 


In this example, the VPN master server for the Finance office in San Jose is 
behind a firewall server that is connected to the Internet, as shown in Figure 
1-3. The public IP address and subnet mask for the VPN server are part of a 
local network. The firewall has an IP address of 200.20.176.12 on the Internet 
connection. The VPN master server has a public IP address of 220.150.17.65. 
The local network is using a subnet mask of FF.FF.FF.CO. 


The slave server in Athens is connected through an ISP. The public IP address 
and subnet mask are 135.145.188.25 and FF.FF.FC.0, respectively. Both 
offices are sharing data that must be encrypted and sent through a VPN tunnel. 
The procedure shows you how to connect the two remote sites using an 
encrypted tunnel to send the data. 
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Figure 1-3 
Remote Sites Linked by VPN Nodes behind a 
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To connect remote Internet sites using a VPN through a firewall, complete the 
following steps: 


1. 


Choose a master server for your VPN. 


In this example, the San Jose site is selected because the corporate office 
has the Corporate Information Services staff, who are better equipped to 
manage the VPN. 


Contact an ISP and arrange for Internet connectivity for the slave 
server. Write down the public IP address and subnet mask that the 
ISP provides you. 


Note Repeat this step for each site that will be a part of the VPN. 


In this example, the public IP address and subnet mask for the VPN 
master in San Jose are 220.150.17.65 and FF.FF.FF.CO, respectively. The 
public IP address and subnet mask for the VPN slave in Athens are 
135.145.188.25 and FF. FF.FC.0, respectively. 


Choose an IP address and mask to use for your VPN tunnel 
interface. 


Because this address will never be sent over the Internet, it can be any 
unregistered address, for example, 10.0.0.1 and FF.0.0.0 for the master 
server, and 10.0.0.2 for the slave server. 


Note The master server and all slave servers must use IP addresses on the same 
network or subnet for the VPN tunnel interfaces. 


4. 


Install NetWare and BorderManager software on your master 
server. 


Use NIASCFG to configure the protocols and routing on your 
master server: 


° Configure a LAN interface to connect to your local network behind 
the firewall. 


. Enable TCP/IP. 


° Bind TCP/IP to the LAN interface that connects your VPN server 
to your firewall (220.150.17.65). This interface must have a 
registered IP address. 


° Reinitialize the system to make these changes take effect. 
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Establish a connection to your firewall router and verify that the 
master server can communicate with the ISP router. 


Do this before you add the VPN. Before testing the connection, you must 
verify that the firewall is configured to allow ICMP packets through. 
After testing, the filters should be returned to their previous 
configuration. Because the Internet connectivity is provided by the 
firewall or another router, you are not required to make a WAN call. 
Enter LOAD PING at the console prompt and enter the IP address of the 
ISP router. If you can ping the router, you are connected to the ISP and 
should be able to reach any location on the Internet, including your other 
sites after they are connected. 


Use VPNCFG to configure your VPN master server. Make sure you 
do the following: 


° Specify the public IP address and subnet mask. In this example, 
specify 220.150.17.65 for the public IP address, and FF.FF.FF.CO 
for the subnet mask. 


° Specify the VPN tunnel IP address and subnet mask. In this 
example, specify 10.0.0.1 for the VPN tunnel IP address, and 
FF.0.0.0 for the subnet mask. 


Note VPNCFG automatically adds some filters to prevent the IP address of the VPN 
tunnel from being sent through the public interface, and to prevent the public IP 
address from being sent through the tunnel interface. 


10. 
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° Generate encryption information for the VPN master server. 
° Copy the encryption information to a diskette. 


Refer to Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup or the online help for the procedure to set up the master server. 


Configure your firewall to allows VPN packets to pass through. 


For a list of filters that must be configured, refer to the prerequisites 
section in Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup. 


Send the MINFO.VPN file with the master encryption information 
to the administrator configuring the VPN slave server. 


Repeat Step 4, Step 5, Step 6, and Step 11 for the slave server. 


Note 


11. 


12. 


13. 


14. 


If you did not select the Setup BorderManager for Secure Access to 
the Public Interface option for the slave server during installation, 
load BRDCFG and select this option. 


At the VPN slave server, use VPNCFG to configure the VPN slave 
server. Make sure you do the following: 


° Specify the public IP address and subnet mask. In this example, 
specify 135.145.188.25 for the public IP address, and FF.FF.FC.0 
for the subnet mask. 


° Specify the VPN tunnel IP address and subnet mask. In this 
example, specify 10.0.0.2 for the VPN tunnel IP address, and 
FF.0.0.0 for the subnet mask. 


° Generate encryption information for the VPN slave server using 
the master encryption information file (MINFO.VPN). Call the 
master server administrator and verify that the digest values match. 


° Copy the slave encryption information to a file. 


Refer to Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup or the online help for the procedure to set up the slave server. 


Send the SINFO.VPN file with the slave encryption information 
back to the administrator configuring the VPN master server. 


At the administrative workstation, install the BorderManager snap- 
in for the NetWare Administrator utility if it has not already been 
installed. 


The installation program for this utility (SETUP.EXE) is in the 
\PUBLIC\BRDMGR\SNAPINS directory on the SYS: volume of your 
server after BorderManager has been installed. 


Perform this step from a client that is authenticated to the NDS tree in which the 
VPN master server resides. The machine must be logged in with Supervisor 
rights to the VPN master server. If this is the first VPN server or border server 
on this tree, then Supervisor rights to the root directory are required in order to 
extend the NDS schema. 


15. 


16. 


In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


Click the VPN tab. 
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17. 


18. 


19. 


20. 


21. 
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Double-click Master Site-to-Site under Enable Service. 


Your master server should be listed in the VPN Members list. For 
example, if you named the master server Corporate, you should see 
Corporate displayed as a VPN member with an IP address of 
220.150.17.65, as configured in Step 7. 


Manually configure a list of networks protected by the VPN master 
server. 


In this example, a list of protected networks must be configured for all 
VPN servers even if Enable IP RIP is selected. Because the public and 
private networks are subnets of the same network, the RIP packets that 
pass through the VPN tunnel interface are blocked by the default VPN 
filters. Because the routes to the protected networks cannot be learned 
using RIP, a list of protected networks must be configured manually. 


In this example, you can specify the 220.150.17.128 network as a 
protected network by completing the following substeps: 


18a. Double-click the slave server to view details for that server. 
18b. Click Add. 

18c. Select Network. 

18d. Enter 220.150.17.128 for the IP network address. 

18e. Enter FF.FF.FF.CO0 for the subnet mask. 

18f. Click OK. 


18g. Specify any additional protected networks, then click OK to 
return to the main VPN page. 


Click Add to add the slave server to the VPN Members list. 


Specify the name and pathname for the slave encryption information 
file (SINFO.VPN). 


Ask the administrator of the VPN slave server to use VPNCFG to 
authenticate the encryption information and verify that the message 
digest values match. Click Yes if the values match. 


To authenticate the encryption information using VPNCFG, select 
Authenticate Encryption Information. 


Note 


22. 


Click Yes to manually configure a list of networks protected by this 
VPN slave server. 


In this example, a list of protected networks must be configured for all 
VPN servers even if Enable IP RIP is selected. Because the public and 
private networks are subnets of the same network, the RIP packets that 
pass through the VPN tunnel interface are blocked by the default VPN 
filters. Because the routes to the protected networks cannot be learned 
using RIP, a list of protected networks must be configured manually. 


In this example, you can specify the 135.145.180.0 network as a 
protected network by completing the following substeps: 


22a. Double-click the slave server to view details for that server. 
22b. Click Add. 

22c. Select Network. 

22d. Enter 135.145.180.0 for the IP network address. 

22e. Enter FF.FF.FC.0 for the subnet mask. 

22f. Click OK. 


22g. Specify any additional protected networks and modify other 
VPN parameters as needed, then click OK to return to the 
main VPN page. 


At this point, your master server recognizes the slave server, but the slave 
server has not been updated yet with the VPN configuration information. The 
slave server must be updated in order for the VPN to be brought up. Make sure 
that the master and slave servers are attached to the Internet through their 
respective ISPs so that they can communicate with each other and the master 
server can update the slave server. 


23. 


Update all VPN members with the entire VPN configuration as 
follows: 


23a. From the main VPN page, click Status. 


23b. Click Synchronize All to update all VPN members with the 
current configuration. 


This might take some time, depending on the types of Internet 
connections and the number of members that must be updated. 
When the process is completed, all members should have a status 
of Up-to-Date. 
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23c. If any VPN members remain with a status of Being 
Configured, select the member or master, then check the audit 
log for configuration errors. 


23d. Click OK. 


The VPN is now set up between two sites. You can add more sites 
and update all members at the same time. To add more sites, repeat 
Step 9 through Step 23. 


Note that the firewall's public IP address must be prevented from being 
advertised through the VPN tunnel interface. If it is learned through this 
interface, packets destined for the public IP address will pass through the VPN 
tunnel interface and never arrive. 


From a routing standpoint, the VPN tunnel interface is just another interface. 
One attribute of this interface is that all routes that are advertised through it add 
a cost of only one. Because the VPN tunnel interface provides the lowest cost 
to any network or host that advertises through it, all future access to that 
network or host will be through the VPN tunnel interface, in which case the 
data is encrypted. However, because the networks learned through the VPN 
tunnel interface can be advertised by the public interface, you might want to 
configure filters to prevent the networks from being advertised. 


In this example, access to the Internet by private clients is probably controlled 
by the firewall. However, depending on the firewall's configuration, you might 
want to implement filtering using TCP/IP RIP filters and TCP/IP packet 
forwarding filters to prevent access to the Internet. When configuring your 
firewall, do not remove any of the filters that are listed in the prerequisites 
section in Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup. 
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Setting Up a VPN within a Private Network 


In this example, the Finance and Accounting servers in San Jose are on the 
corporate intranet or private network, as shown in Figure 1-4 on page 36. In 
this scenario, access to the Internet and an ISP are not required, just IP 
connectivity between the master server and slave server. The master server has 
a public IP address of 135.27.180.1, and the local network is using a subnet 
mask of FF.FF.FC.0. In this example, the master server and slaver server must 
use different subnet addresses because they are on different LAN segments. 
The slave server has an IP address of 135.27.184.1 and a subnet mask of 
FF.FF.FC.0. 


Although not shown in this example, the VPN nodes could also be joined using 
a point-to-point connection, which requires that the nodes have the same 
network address. 


Both departments are sharing data that must be encrypted and sent through a 


VPN tunnel. The procedure shows you how to connect the two LAN segments 
using an encrypted tunnel to send the data. 
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Figure 1-4 
LAN Segments on an Intranet Linked by a VPN 
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Note 


Important 


To set up a VPN to operate within an intranet, complete the following steps: 


1. 


Choose a master server for your VPN. 


In this example, a machine is selected that is easy to physically secure 
and easy for the Corporate Information Services staff to access. 


Choose an IP address and mask to use for your VPN tunnel 
interface. 


Because this address will never be sent over the Internet, it can be any 
unregistered address, for example, 10.0.0.1 and FF.0.0.0 for the master 
server, and 10.0.0.2 for the slave server. 


The master server and all slave servers must use IP addresses on the same 
network or subnet for the VPN tunnel interfaces. 


3. 


Install NetWare and BorderManager software on your master 
server and slave server. 


Use NIASCFG to configure the protocols and routing on your 
master server and slave server: 


° Configure a LAN interface to connect to your local network. 
e Enable TCP/IP. 


° Bind TCP/IP to the LAN interface (135.27.180.1 for the master 
server). Because VPN servers are not connected to the Internet, 
this interface is not required to use a registered IP address. 


° Reinitialize the system to make these changes take effect. 


Make sure that the IPX protocol is not bound to the public interface of any of the 
VPN servers. 


5. 


Verify that IP connectivity exists between the VPN members. 


Before testing the connection, you must verify that the BorderManager 
filters or other firewalls are configured to allow ICMP packets through. 
After testing, the filters should be returned to their previous 
configuration. Enter LOAD PING at the console prompt of the VPN 
master server and enter the IP address of the VPN slave. 
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6. 


Use VPNCFG to configure your VPN master server. Make sure you 
do the following: 


° Specify the public IP address and subnet mask. In this example, 
specify 135.27.180.1 for the public IP address, and FF.FF.FC.0 for 
the subnet mask. 


° Specify the VPN tunnel IP address and subnet mask. In this 
example, specify 10.0.0.1 for the VPN tunnel IP address, and 
FF.0.0.0 for the subnet mask. 


Note VPNCFG automatically adds some filters to prevent the IP address of the VPN 
tunnel from being sent through the public interface, and to prevent the public IP 
address from being sent through the VPN tunnel interface. 
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° Generate encryption information for the VPN master server. 
° Copy the encryption information to a diskette. 


Refer to Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup or the online help for the procedure to set up the master server. 


If you did not select the Setup BorderManager for Secure Access to 
the Public Interface option during installation on your master server 
and slave server, load BRDCFG and select this option. 


Send the MINFO.VPN file with the master encryption information 
to the administrator configuring the VPN slave server. 


At the VPN slave server, use VPNCFG to configure the VPN slave 
server. Make sure you do the following: 


° Specify the public IP address and subnet mask. In this example, 
specify 135.27.184.1 for the public IP address, and FF.FF.FC.0 for 
the subnet mask. 


° Specify the VPN tunnel IP address and subnet mask. In this 
example, specify 10.0.0.2 for the VPN tunnel IP address, and 
FF.0.0.0 for the subnet mask. 


° Generate encryption information for the VPN slave server using 
the master encryption information file (MINFO.VPN). Call the 
master server administrator and verify that the digest values match. 


° Copy the slave encryption information to a diskette. 


Refer to Novell BorderManager Enterprise Edition 3.5 Installation and 
Setup or the online help for the procedure to set up the slave server. 


Note 


10. 


11. 


Send the SINFO.VPN file with the slave encryption information 
back to the administrator configuring the VPN master server. 


At the administrative workstation, install the BorderManager snap- 
in for the NetWare Administrator utility if it has not already been 
installed. 


The installation program for this utility (SETUP.EXE) is in the 
\PUBLIC\BRDMGR\SNAPINS directory on the SYS: volume of your 
server after BorderManager has been installed. 


Perform this step from a client that is authenticated to the NDS tree in which the 
VPN master server resides. The machine must be logged in with Supervisor 
rights to the VPN master server. If this is the first VPN server or border server 
on this tree, then Supervisor rights to the root directory are required in order to 
extend the NDS schema. 


12. 


13. 


14. 


15. 


In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


Click the VPN tab. 


Double-click Master Site-to-Site under Enable Service. 


Your master server should be listed in the VPN Members list. For 
example, if you named the master server Corporate, you should see 
Corporate displayed as a VPN member with an IP address of 
135.27.180.1, as configured in Step 6. 


Manually configure a list of networks protected by this VPN master 
server. 


In this example, a list of protected networks must be configured for all 
VPN servers even if Enable IP RIP is selected. Because the public and 
private networks are subnets of the same network, the RIP packets that 
pass through the VPN tunnel interface are blocked by the default VPN 
filters. Because the routes to the protected networks cannot be learned 
using RIP, a list of protected networks must be configured manually. 


In this example, you can specify the 135.27.188.0 network as a protected 
network by completing the following substeps: 


15a. Double-click the slave server to view details for that server. 
15b. Click Add. 


15c. Select Network. 
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16. 


17. 


18. 


19. 
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15d. Enter 135.27.188.0 for the IP network address. 
15e. Enter FF.FF.FC.0 for the subnet mask. 
15f. Click OK. 


15g. Specify any additional protected networks, then click OK to 
return to the main VPN page. 


Click Add to add the slave server to the VPN Members list. 


Specify the name and pathname for the slave encryption information 
file (SINFO.VPN). 


Ask the administrator of the VPN slave server to use VPNCFG to 
authenticate the encryption information and verify that the message 
digest values match. Click Yes if the values match. 


To authenticate the encryption information using VPNCFG, select 
Authenticate Encryption Information. 


Click Yes to manually configure a list of networks protected by this 
VPN slave server. 


In this example, a list of protected networks must be configured for all 
VPN servers even if Enable IP RIP is selected. Because the public and 
private networks are subnets of the same network, the RIP packets that 
pass through the VPN tunnel interface are blocked by the default VPN 
filters. Because the routes to the protected networks cannot be learned 
using RIP, a list of protected networks must be configured manually. 


In this example, you can specify the 135.27.176.0 network as a protected 
network by completing the following substeps: 


19a. Double-click the slave server to view details for that server. 
19b. Click Add. 

19c. Select Network. 

19d. Enter 135.27.176.0 for the IP network address. 

19e. Enter FF.FF.FC.0 for the subnet mask. 


19f. Click OK. 


Note 


19g. Specify any additional protected networks and modify other 
VPN parameters as needed, then click OK to return to the 
main VPN page. 


At this point, your master server recognizes the slave server, but the slave 
server has not been updated yet with the VPN configuration information. The 
slave server must be updated in order for the VPN to be brought up. Make sure 
that the master and slave servers can communicate with each other so that the 
master server can update the slave server. 


20. Update all VPN members with the entire VPN configuration as 
follows: 


20a. From the main VPN page, click Status. 


20b. Click Synchronize All to update all VPN members with the 
current configuration. 


This might take some time, depending on the number of members 
that must be updated. When the process is completed, all members 
should have a status of Up-to-Date. 


20c. If any VPN members remain with a status of Being 
Configured, select the member or master, then check the audit 
log for configuration errors. 


20d. Click OK. 


The VPN is now set up between two LAN segments. You can add more 
segments and update all members at the same time. You can repeat Step 3 
through Step 20 to add another slave server. 


Note that if you are using a firewall, the firewall's public IP address must be 
prevented from being advertised through the VPN tunnel interface. If it is 
learned through this interface, packets destined for the public IP address will 
pass through the VPN tunnel interface and never arrive. 


From a routing standpoint, the VPN tunnel interface is just another interface. 
One attribute of this interface is that all routes that are advertised through it add 
a cost of only one. Because the VPN tunnel interface provides the lowest cost 
to any network or host that advertises through it, all future access to that 
network or host will be through the VPN tunnel interface, in which case the 
data is encrypted. However, because the networks learned through the VPN 
tunnel interface can be advertised by the public interface, you might want to 
configure filters to prevent the networks from being advertised. 
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Setting Up Client-to-Site VPNs 


This section explains the advanced tasks you complete to configure a client-to- 
site VPN and to make a client-to-site connection. This section contains the 
following procedures: 


° “Setting Up the Phone Book Capability” on page 42 
° “Distributing VPN Server Addresses to Users” on page 46 
° “Setting Up Dial Properties” on page 47 


° “Setting Up Remote Access on a VPN Server to Support Dial-In VPN 
Clients” on page 47 


Setting Up the Phone Book Capability 


The phone book capability enables you to easily dial an ISP by selecting a 
phone number from a preconfigured phone book or from a phone book that you 
created. Because the VPN client can use any phone book created in the 
Microsoft* Connection Manager, the VPN client can find any phone book 
distributed by an ISP that was created in that format and enables you to select 
entries from it. Furthermore, ISP phone books that were not created by the 
Microsoft Connection Manager can be converted to a usable format using the 
VPN client phone book capability. 


When the phone book capability is selected, any phone books found on the 
workstation are listed in the Phone Book drop-down menu. The list can contain 
the following phone book names: 
° Microsoft Network. 
° iPass* Corporate Connection. 
° Any other phone books located on the workstation that were created 
using the Microsoft Connection Manager. These phone books will be 


named after the directories in which they are located. 


° Any phone book that was created using the VPN client phone book 
capability. 


° Any phone book that was converted with the VPN client phone book 
capability. 
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Selecting a Phone Number from a Phone Book 


To select a phone number from a phone book, complete the following steps: 


1. 


From the VPN Login dialog box, click the Dial-Up tab, then click 
Settings. 


Click Phone Book. 
Select a phone book from the Phone Book drop-down menu. 


Select a country from the Country drop-down menu. 


Only countries that contain phone book entries are displayed. 


Select a state or region from the State or Region drop-down menu. 


When a state or region is selected, only phone book entries for that state 
or region are displayed. If no states or regions were assigned to the phone 
book entries, the drop-down menu is grayed out and all phone book 
entries for the selected country are displayed. 


To sort the phone book entries, click the Sort by Name or Sort by 
Number radio buttons. 


To select a phone book entry, double-click the desired entry and click 
OK. 


Converting an ISP Phone Book 


To convert an ISP phone book to the Microsoft Connection Manager format, 
complete the following steps: 


1. 


From the VPN Login dialog box, click the Dial-Up tab, then click 
Settings. 


Click Phone Book, then click Manage. 
Select Convert an ISP Phone Book. 


Select the type of ISP phone book that will be converted and click 
Convert. 
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Currently, only EarthLink Network* and NETCOMplete* phone books 
can be converted. 


A default directory is indicated for each phone book. If you choose to not 
load a phone book in the default directory, you must set the path to the 
correct directory, as described in “Defining the Phone Book Path” on 
page 46. 


When the phone book is converted, it is displayed in the Phone Book 
drop-down menu, allowing you to select phone book entries. 


Creating a New Phone Book 


To create a new phone book, complete the following steps: 


1. 
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From the VPN Login dialog box, click the Dial-Up tab, then click 
Settings. 


Click Phone Book, then click Manage. 
Select Create a New Phone Book. 
Enter a name for the phone book. 


For each phone book entry, complete the following substeps: 
5a. Select a country. 


5b. Select a state or region. 


If a state or region does not exist for the selected country, select All 
or add a new state or region by editing the file 
\NOVELL\VPNC\PHONE BOOKS\DEFAULT.PBR. Use a text 
editor to add new regions to the end of the file and increment the 
number on the first line of the file to match the new number of 
regions in the file. 


5c. Enter a location name. 
5d. Enter an area code. 
5e. Enter a phone number. 


5f. Click Add. 


Click Save to save the phone book entries. 


Changing the States and Regions 


When a phone book is created, states and regions are retrieved for display from 
the DEFAULT-.PBR file in the PHONE BOOKS directory. When a newly 
created phone book is saved, the states and regions are saved in a newly created 
phone book directory under the PHONE BOOKS directory. The system 
administrator can change the DEAULT.PBR file to add, replace, or delete states 
or regions and then distribute the file to the users. When editing the file, you 
must make sure that the first entry indicates the number of states or regions 
listed in the file. 


Editing a Phone Book 
You can edit the entries in any phone book that you created or converted. You 
cannot edit phone books that were created by an ISP in Microsoft Connection 
Manager format. 


To edit a phone book, complete the following steps: 


1. From the VPN Login dialog box, click the Dial-Up tab, then click 
Settings. 


2. Click Phone Book, then click Manage. 
3. Select Edit an Existing Phone Book. 


4. Select the name of the phone book that you want to edit from the 
drop-down menu. 


5. Double-click the phone book entry that you want to edit and make 
the desired changes. 


6. Click Save to save your changes. 


Protecting a Phone Book 


To disable the user’s capability of editing a phone book that you created, 
complete the following steps: 


1. Remove the line UpdateFlags=1 from the .ini file in the phone book 
directory. 
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Without this line, the phone book will not appear as a phone book 
selection when you attempt to edit it. 


2. Change the attributes of all files in the phone book directory to 
Read-only. 


3. Make a copy of the phone book directory and distribute it to the 
users. 


Defining the Phone Book Path 


Normally, the VPN phone book utility can locate phone books that use the 
Microsoft Connection Manager format. However, if the VPN phone book 
utility cannot find a phone book that uses the Microsoft Connection Manager 
format, you should move the phone book files to the directory listed in the 
Define Phone Book Path dialog box or change the path configured in the dialog 
box. 


To change the phone book path, complete the following steps: 


1. From the VPN Login dialog box, click the Dial-Up tab, then click 
Settings. 


2. Click Phone Book, then click Manage. 
3. Select Define Phone Book Path. 


4. Set Alternate Phone Book Path to the location of the phone book files 
and click OK. 


Distributing VPN Server Addresses to Users 


If you have a file named VPNHOSTS.TXT in the DISK1 directory of your 
VPN client installation directory, the installation program will take IP 
addresses from this file and enter them into the workstation’s Registry. Each 
line of the VPNHOSTS.TXT file might contain one address, optionally 
followed by a description of the entry. For example: 


130.1.1.1 My Corporate VPN in San Jose 
These entries can be edited using any text editor. You can create the 


VPNHOSTS.TXT file in the DISK1 directory of your VPN client installation 
directory, and distribute the DISK1 and DISK2 directories to the users. 
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Setting Up Dial Properties 
You can configure the dial properties for Microsoft Dial-Up Networking 
connections using the VPN client login interface. For more information about 
the dial properties, refer to the Microsoft documentation for Dial-Up 


Networking. 


To configure the dial properties using the VPN client interface, complete 
following steps: 


1. From the VPN Login dialog box, click the Dial-Up tab, then click 
Settings. 


2. Click Dial Properties. 


3. Configure the properties for each Microsoft Dial-Up Networking 
connection, as required, and click OK. 


Setting Up Remote Access on a VPN Server to Support Dial-In VPN Clients 
This section describes how to configure the remote access software to support 
Novell® BorderManager™ VPN clients. Remote access is required only for 
VPN clients that dial in to a VPN server directly. It is not required for VPN 
clients that access a VPN server through an ISP connection. 
The configuration of remote access consists of the following procedures: 
° “Adding a Board Using a Serial Port Driver” on page 47 
° “Setting Up PPPRNS to Support Remote IP Nodes” on page 52 


° “Setting Up PPPRNS Security” on page 60 


° “Setting Up a Remote Client Password” on page 61 


Adding a Board Using a Serial Port Driver 
This section describes how to configure a board to support dial-in clients. Two 
separate procedures are required to configure a board using a serial port driver. 


This section contains the following procedures: 


° “Loading the AIO Drivers” on page 48 
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“Setting Up Ports for Remote Access” on page 49 


Loading the AIO Drivers 


To load the appropriate driver, complete the following steps: 


1. 


Insert a physical AIO board into your system or enable one of your 
COM ports. 


Load NIASCFG. 


Select Configure NIAS > Remote Access > Set Up... > Add a Serial 
Adapter Board. 


If you are loading NIASCFG for the first time, the program prompts you 
with instructions to configure remote access. These instructions roughly 
correspond to the procedures contained in this section. 


For each communications adapter you have installed, load its AIO 
driver once by selecting the appropriate serial adapter entry from 
the list. 


If no AIO ports are defined or the board cannot be loaded, you see a 
warning message. Press Enter and step through configuring the 
board. Otherwise, skip to Step 8. 


To configure a board, you must enter its name and other specific 
information. Follow the prompts on the screen. 


If you are using an ISDN connection, press Ins and select the 
WHSMCAPI driver. 


Note Some ISDN boards, such as the USRobotics* Allegra series for the NetWare® 
software, use WAN ODI drivers instead of WHSMCAPI. Select the appropriate 


driver, 


or press Ins and use your manufacturer-supplied driver diskette. Specify 


your board parameters, then continue with Step 8. 


7. 
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If you are using a Point-to-Point Tunneling Protocol (PPTP) 
connection, do the following: 


7a. Press Ins and select the AIOPPTP driver. 


7b. Select Number of AIOPPTP Ports and select a value. 


This number is used in conjunction with First AIO Port Number to 
determine the total number of ports, starting with the first port, that 
are available for use by PPTP. 


Valid values range from 4 to 249. 


8. Select Continue with Automated Setup after the remote access 
software has determined which ports have modems attached. Select 
Try Modem Discovery Again if modems were not discovered (not 
turned on). 


Setting Up Ports for Remote Access 


You use the NIASCFG utility to configure the remote access ports. When the 
utility starts, function keys are enabled. The keys that are enabled for a 
particular remote access window are displayed at the bottom of the utility 
window. Table 1-1 summarizes the key functions. 
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Table 1-1 
Remote Access Function Key Definitions 





Function Key 


Operation 





F1 


F2 


F3 


F4 


F5 


F6 


F7 


F8 


F10 


Alt+F1 


Alt+F5 


Alt+F7 





Open context-sensitive help 

Customize a configuration report; save 
port statistics to file; write an audit report 
to file 

Rename; modify the field 


Copy from 


Mark/unmark (select multiple items from 
a list) 


Copy to 

Clear all marks 

Display instructions; identify the port 
Activate the AIOPAD configuration; run 
a service-specific NetWare Loadable 
Module™ (NLM™) file 

Display additional key help 


Mark all 


Abort the configuration report 


To configure ports for remote access, complete the following steps: 


1. Load NIASCFG. 


2. Select Configure NIAS > Remote Access. 


The Remote Access Options window is displayed. 


3. Select Configure Ports. 


A window listing port information by port name is displayed. The 
window lists the ports that the AIO NLM recognizes. Default port names 
are assigned, depending on the existing configuration. 
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The Status column displays the status of the port: Available, Unavailable 
(the driver is not loaded), or Port_Acquired. 


4. Select the port that you want to configure and press Enter. 


5. Specify the following port parameters: 


° Port Name—Enter a unique port name of up to 15 characters, or up 
to 14 characters if you will use the port for the NASI™ (NetWare 
Asynchronous Services Interface™) Connection Service (NCS). 
Only alphanumeric characters, underscores (_), hyphens (-), and 
periods (.) are allowed. Port names must be unique on a server and 
begin with a letter in the first character position. The port name can 
indicate the type of connection, the telephone number of the port, 
or other information for troubleshooting purposes. Default port 
names are supplied based on the driver type. In NASI applications, 
port names are called specific names. More information is located 
in the NetWare 5™ online documentation at the following path: 


Contents > Connectivity Services (under Network Services 
heading) > Remote Access Configuration 


° Port Description—(Optional) Enter a description for the port. For 
example, if you plan to use the port to manage remote access, you 
can describe it as System administrator's private line. 


° Modem Type—Select Modem Type and press Enter. A list of 
modem types is displayed. Select the type of modem that is 
attached to the port. 


If your modem is not listed, select a similar modem. If no similar 
modems are listed, select Hayes* Compatible. Select Automatic 
Detection to have the remote access software determine the 
modem type for you. The default is None, which means that the 
line is a direct connection and does not use a modem. 


For direct connections, select None. For X.25 ports, select 
AIOPAD. For ISDN adapters (not ISDN terminal adapters that 
connect to a serial port like a modem), select ISDN (AT 
Controlled). For PPTP ports, select AIOPPTP. 
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Note For a list of supported modems and the current support file, download 
NWCMOD.EXE from developer.novell.com/devres/wan/modemscr/ 
mdmscr.htm. Note that the modem script files in BorderManager are not 
backward-compatible with the NetWare Connect® 2.0 software. More 
information about creating and editing modem scripts is located in the NetWare 
5 online documentation at the following path: 


Contents > Connectivity Services (under Network Services heading) > Routing 
Configuration 


6. (Optional) Select Additional Parameters and press Enter. 


The Port Configuration window displays additional port configuration 
parameters. Usually, you can keep the defaults for most of these 
parameters. More information about configuring these parameters is 
located in the NetWare 5 online documentation at the following path: 


Contents > Connectivity Services (under Network Services heading) > 
Remote Access Configuration 


7. When you have configured the port, press Esc and select Yes to save 
the changes. 


8. Press Esc to return to the Remote Access Options window. 


Setting Up PPPRNS to Support Remote IP Nodes 

This section describes how to configure your server to support remote IP users. 
Several separate procedures are required to configure Point-to-Point Protocol 
Remote Node Service (PPPRNS) for remote IP nodes. This section contains the 
following procedures: 

° “Setting Up the Server as a TCP/IP Router” on page 52 

° “Loading PPPRNS with IP Support” on page 54 

° “Setting Up PPPRNS for IP Support” on page 58 


° “Setting Up Client Software” on page 59 


Setting Up the Server as a TCP/IP Router 
To provide remote access to other TCP/IP hosts on the network, you must 


configure the remote access server as an IP router. TCP/IP routing enables 
forwarding IP traffic from one network to another. 
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Important 


Note 


You use the Protocols and Routing option in NIASCFG to configure your 
server as an IP router. More information about using this option and 
configuring a TCP/IP router is located in the NetWare 5 online documentation 
at the following path: 


Contents > Connectivity Services (under Network Services heading) > Routing 
Configuration 


When you configure the server as an IP router, the appropriate LOAD and 
BIND commands are added to the INITS YS.NCF and NETINFO.CEFG files in 
the SYS:\ETC subdirectory. 


Modifications to existing IP addresses take effect the next time you load 
TCPIPNLM, start the remote access server, or reinitialize the system. 


You can also use the Protocols and Routing option in NIASCFG to configure 
PPTP on a remote access server. PPTP allows the remote access software to 
accept PPP calls from remote users through any ISP that supports PPTP by 
tunneling PPP packets through an IP tunnel. 


Your ISP must have a PPTP access concentrator, and your network must have 
access to a port on that concentrator. Contact your ISP for details. 


You can configure the remote access server as a Dynamic Host Configuration 
Protocol (DHCP) server. Use this option to assign IP addresses to remote 
access clients from the remote access server address range through DHCP 
(refer to “Loading PPPRNS with IP Support” on page 54). You can also use 
this option when the clients want to obtain client information such as the 
domain name server from the remote access server (refer to “Setting Up 
PPPRNS for IP Support” on page 58). 


To install the DHCP server, complete the following steps: 


1. Enter the following command at the console prompt on the remote 
access server: 


For NetWare 4.11 systems, LOAD DHCPD 


For NetWare 5 systems, LOAD DHCP 


2. Set the following parameters. 


For more information about these parameters, refer to “Loading 
PPPRNS with IP Support” on page 54. 


2a. Set the Client Address Range parameter to Yes. 
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2b. Enter the IP addresses for the Client Address Range Start and 
Client Address Range End parameters. 


2c. If necessary, enter IP addresses for the Secondary Local IP 
Address, Secondary Address Range Start, and Secondary 
Address Range End parameters. 


2d. If your clients want to receive domain information from the 
DHCP server, specify the Domain Name Server Address and 
Domain Name parameters. 


Note The DHCPD and DHCP NLM files can be used only for remote node clients. 
They cannot be used for LAN clients. You must set up a separate DHCP server 
for LAN clients. 


Loading PPPRNS with IP Support 
Loading PPPRNS with IP support allows IP clients to dial in and become 
remote nodes on the network. This procedure adds the appropriate LOAD and 


BIND commands to the NETINFO.CFG file. 


Table 1-2 describes the IP parameters that you configure for PPPRNS with IP 
support. 
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Table 1-2 
PPPRNS IP Parameters 





Parameter 


Description 





Local IP Address 


Subnet Mask 


Use Header Compression 


Specify Client Address 
Range 





Specifies the local IP address for the WAN interface on the remote access server. This 
is a 4-byte (32-bit) numeric value that identifies both a network and a local host or 
node on that network. The address is represented in dotted decimal notation. Each 
byte is represented by a decimal number, with periods separating the bytes, for 
example, 130.57.45.240. Each byte can range from 0 through 255. Do not use 
hexadecimal numbers. 


The local IP address must be on the same subnet as the client address range. The 
remote access software creates a virtual LAN segment (network) for all IP clients 
accessing this server. 


The IP address on the remote node can be configured statically or dynamically: 
Statically—The user explicitly specifies the IP address in the client software. 


Dynamically—The remote access software assigns IP addresses through the Internet 
Protocol Control Protocol (IPCP). Specify a client range. 


Dynamically—The remote access server is a DHCP server and assigns IP addresses. 
Configure the remote access server as a DHCP server. 


Specifies a 4-byte subnet mask in dotted decimal notation. Each byte ranges from 0 
through 255, with periods separating the bytes. 


Specifies whether to use header compression over the WAN link with the remote 
client. The default is No. 


If you specify Yes, the remote access IP service will use TCP header compression 
with all remote access clients connecting to this address. Make sure that the settings 
for header compression on the server and the client agree: both are enabled or both 
are disabled. If the client is not configured to use header compression but the server 
is, TCP will not run between the remote access server and the client. 


Specifies whether the remote access software assigns IP addresses to the remote 
nodes. After you have specified the range and a client requests an address, the remote 
access software chooses an address that is not in use by another client from the 
address range and assigns it to the requesting client. 


Address assignments can be made through either IPCP or DHCP if the remote access 
server is configured as a DHCP server. If the remote access server is not configured 
as a DHCP server and a client address range is specified, IPCP address assignment is 
used. 
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Parameter 


Client Address Range Start 


Client Address Range End 


Specify Secondary Client 
Address Range 


Secondary Local IP 
Address 


Secondary Subnet Mask 
Secondary Address Range 


Start 


Secondary Address Range 
End 





Important 


Important 


Description 


Specifies the starting address for the remote IP client address range. The client 
address range must be on the same network or subnet as the server address specified 
in the Local IP Address parameter. 


Specifies the ending address for the remote IP client address range. 


Note: You configure a user to use the primary or secondary client address range with 
the NetWare Administrator utility. The secondary client address range feature might 
or might not be available on your system; it is an optional part of the standard Novell 
remote access software. 


Specifies an additional (secondary) local IP address on the remote access server. 


Specifies an additional (secondary) subnet mask on the remote access server. 


Specifies the starting address for the secondary remote IP client address range. This 
is a separate group of addresses that you can specify to limit or restrict access to 
network locations. 


Specifies the ending address for the secondary remote IP client address range. This is 
a separate group of addresses that you can specify to limit or restrict access to network 
locations. 


To load PPPRNS with IP support, complete the following steps: 
1. Load NIASCFG. 


2. Select Configure NIAS > Remote Access > Set Up... > Select Remote 
Access Services > PPPRNS > IP. 

3. Select Local IP Address and enter a valid, unique local IP address. 

The local IP address must be on the same subnet as the client address range. 


4. Select Subnet Mask and enter a 4-byte value in dotted decimal 
notation. 


5. Select Use Header Compression, then specify Yes to use TCP header 
compression. Otherwise, specify No. 


Make sure the settings for header compression on the server and the client 
agree, that is, both are enabled or disabled. 
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6. Select Specify Client Address Range and do the following: 


Important The Client Address Range parameters must be set when the remote access 
server is configured as a DHCP server. 


6a. Specify Yes if you want the remote access server to assign IP 
addresses to the remote nodes. Otherwise, specify No and 
continue with Step 7. 


6b. Specify the Client Address Range Start and Client Address 
Range End parameters. 


Note The address range is for address assignment only, and is not for authenticating 
the remote IP address. If the client already has an address configured locally 
and does not need address assignment from the remote access server, the 
remote access software will not check the client address against the address 
range to make sure it is within the range. 


7. (Optional) Select Specify Secondary Client Address Range and do 
the following: 


7a. Specify Yes if you want the remote access server to assign 
secondary IP addresses to the remote nodes. Otherwise, specify 
No and continue with Step 8. 


7b. Specify the Secondary Subnet Mask, Secondary Address 
Range Start, and Secondary Address Range End parameters. 


Note The secondary address parameters might not be available on your system. If 
these parameters are available, you can use them to limit access to certain 
network locations. 


8. Press Esc and specify Yes to save your changes. 


The service is selected but is not necessarily running. When a service is 
selected, it is added to the NWCSTART.NCF file. To verify that the 
service is running, you can view service statistics. More information is 
located in the NetWare 5 online documentation at the following path: 


Contents > Connectivity Services (under Network Services heading) > 
Routing and Remote Access Management and Optimization 


The changes take effect the next time you start the PPPRNS service. 
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Setting Up PPPRNS for IP Support 


This section is optional. You can set up your remote access server to function 
as a DHCP server for remote clients. When your remote access server is 
configured as a DHCP server, specify the following parameters per user or 
container: 


° Domain Name Server Address 
° Domain Name 


° Boot Filename (used for diskless clients) 


Note For these parameters to apply, you must load DHCPD (for NetWare 4.11 
systems) or DHCP (for NetWare 5 systems). 


To configure IP addresses for PPPRNS, complete the following steps: 
1. Load NIASCFG. 


2. Select Configure NIAS > Remote Access > Configure Services. 


The Remote Access Services window is displayed. 


3. Select PPPRNS. 


The PPPRNS Configuration Options window is displayed. 


4. Select Set IP Parameters. 
A list of users and containers in the default NDS™ context is displayed. 


Select the single period (.) to set IP information for the current container. 
If users are distributed over multiple contexts, select the double period 

(..) to move up the NDS tree to a common branch. Select names with a 
plus (+) prefix to move down the tree. 


If the CONNECT object does not have Browse rights to move up the 
NDS tree, press Ins and enter the new NDS context. This enables you to 
jump to another branch of the tree where the CONNECT object does 
have rights. 


5. Select a user or container. 
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Note 


Note 


The User IP Parameters window is displayed. You can set the remote 
access parameters if the CONNECT object has Write attribute rights, in 
addition to having Browse and Read attribute rights, to that container. 


6. Select Set Domain Information and specify Yes. 


The domain information can be specified when the remote access server 
is set up as the DHCP server for remote clients and the clients want to 
receive this information. 


7. Specify the following domain parameters: 


The following parameters are available to clients only if the remote access 
server is a DHCP server and the clients request the information using DHCP If 
the remote access server is not set up as a DHCP server (refer to “Setting Up 
PPPRNS to Support Remote IP Nodes” on page 52) or if the clients do not use 
DHCP to request information, these parameters are not used. 


e Domain Name Server Address—Enter the address of the domain 
name server to resolve hostnames for client requests. 


° Domain Name—Enter the suffix to append to local hostnames. For 
example, if the domain name is novell.com, the client appends this 
name to ca (the local hostname) to provide the complete name of 
ca.novell.com. 


You can specify the Domain Name Server Address parameter without 
specifying the Domain Name parameter if the client uses complete hostnames. 
Specifying the Domain Name parameter without the server address is not 
useful. 


8. Press Esc twice to save your changes. 


The changes take effect when you have saved them. 


Setting Up Client Software 


After you have completed the procedure to support remote IP nodes, you can 
configure the PPPRNS client software. The Windows* client software for 
PPPRNS is available on a separate client CD-ROM. Install and configure the 
client software on the remote PC and try to establish an IP connection. For 
more information, refer to the remote access online help. 
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Setting Up PPPRNS Security 


To configure PPPRNS security, complete the following steps: 


1. 


2. 


Note When 


Load NIASCFG. 


Select Configure NIAS > Remote Access > Configure Security. 


The Remote Access Security window is displayed. 


Select PPPRNS. 


The PPPRNS Configuration Options window is displayed. 


Select Configure Security. 


The PPPRNS Configuration window is displayed. 


Select Enable Security and specify Yes or No to enable or disable 
PPPRNS security. 


security is disabled, callers can establish a connection successfully by 


entering a valid username without a password. However, callers must still log in 


to the 


6. 


network. 


Specify Yes or No to enable or disable the NetWare Connect 
Authentication Protocol (NWCAP). 


This method is supported by the remote access dialer. NWCAP allows 
the NetWare password to be used as the Remote Client password (the 
default). 


Specify Yes or No to enable or disable the Password Authentication 
Protocol (PAP). 


The default is No. If you enable this protocol, callers configured for PAP 
must specify the Remote Client password to successfully establish a 
connection. This method is supported by the remote access dialer. Enable 
this option if you have UNIX* clients that support PAP. 


Note For dial-in VPN clients, either PAP or CHAP must be enabled. If you want PAP 
or CHAP users to authenticate and they do not have a Remote Client password, 
enter Set PPPRNS AdmitNoConfig=ON at the server console. The default is 
OFF. Setting this option to ON is not recommended. 


8. 


60 Virtual Private Networks 


Specify Yes or No to enable or disable the Challenge Handshake 
Authentication Protocol (CHAP). 


This method is not supported by the remote access dialer shipped with 
NetWare. This method requires callers to specify a Remote Client 
password to establish a connection. To set Remote Client passwords, 
refer to “Setting Up a Remote Client Password” on page 61. 


Setting Up a Remote Client Password 


You must complete the following procedures to configure a remote client 


password: 
° “Setting Remote Client Passwords” on page 62 
° “Setting Password Restrictions” on page 63 


° “Allowing Users to Change Passwords” on page 64 

The Remote Client password is required to establish a connection, and the 
NetWare password is required for logging in to the NetWare network. Both 
passwords are specified for the same username. 

You can set Remote Client passwords for the following types of callers: 

° Remote user on a Macintosh* computer 

° Remote user on a PC using the PAP or CHAP method of authentication 
° Remote user accessing a remote control host session on the network 
You assign Remote Client passwords at first, then later allow callers to choose 
and change their own passwords. The remote access software has Windows and 
Macintosh tools to enable users to change their passwords. Refer to the remote 
access online help for more information about these tools. More information 
about using the NetWare Administrator utility to assign and change Remote 
Client passwords is located in the NetWare 5 online documentation at the 


following path: 


Contents > Connectivity Services (under Network Services heading) > Remote 
Access Configuration 


Enhance security for Remote Client passwords by requiring the following: 


° Minimum password length 
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° Limited number of connection attempts 


° Periodic password change 

Note The user has a grace login limit of three logins after a password has expired. 
During this grace period, the password must be changed by either the user or 
the administrator. NCS dial-in users can see the number of grace logins 
remaining as they authenticate with the Service Selector (if their password has 
expired) before they select a host session. A separate utility on the remote 
access client allows the user to check for the number of remaining grace logins. 
Refer to the remote access online help for more information. 


Setting Remote Client Passwords 
To set Remote Client passwords, complete the following steps: 
1. Load NIASCFG. 


2. Select Configure NIAS > Remote Access > Configure Security. 


The Remote Access Security window is displayed. 


3. Select Set User Remote Client Password. 
A list of authorized users is displayed. 


If users are distributed over multiple contexts, select the double period 
(..) to move up the NDS tree to a common branch. Select any other 
container object to move down the tree. 


If the CONNECT object does not have Browse rights to move up the 
NDS tree, press Ins and enter the new NDS context. This allows you to 
jump to another branch of the tree where the CONNECT object does 
have rights. 


4. Select a username. 


The current status of the user's password is displayed, for example, never 
set or expired. 


5. Enter a password. 


The password must be alphanumeric and can contain up to 16 characters. 
The password is case sensitive. 
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Important 


Important 


Note 


You must enable the long password option in order to specify passwords longer 
than eight characters. Refer to “Setting Password Restrictions” on page 63 for 
more information. 


You can configure user passwords if the CONNECT object has Write 
attribute rights, in addition to having Browse and Read attribute rights, 
to the container. 


The Remote Client password is less secure than the NetWare password. Make 
sure it is not the same as the NetWare password. 


6. Reenter the password. 
7. Press Esc to save your changes. 
8. Distribute the passwords to the corresponding users. 


A user must enter this password to establish an initial connection with remote 
access. 


An NCS dial-in user is prompted for a Remote Client password when dialing 


into the remote access server. If no Remote Client password is defined for this 
user, access will be denied. 


An undefined password is not the same as a NULL password. If the password 
is set to NULL, the user must press Enter when prompted for a password. 


The Service Selector indicates when a Remote Client password has expired 
and enables the NCS dial-in user to change the password at login time. 


Setting Password Restrictions 


To set password restrictions for Remote Client passwords, complete the 
following steps: 


1. Load NIASCFG. 


2. Select Configure NIAS > Remote Access > Configure Security. 


The Remote Access Security window is displayed. 
3. Select Set Remote Client Password Restrictions. 


4. Select Enable Long Passwords, then specify Yes or No to enable or 
disable this option. 
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Important You cannot disable the long passwords feature after you have enabled it. If you 
enable long passwords, you must upgrade all your NetWare Connect 2.0 
servers to the latest version of the remote access software. Users will no longer 
be able to use NetWare Connect 2.0. You must also set the Enable Long 
Passwords parameter on each server. 


5. Enter a value between -1 and 20 for the Maximum Invalid Login 
Attempts parameter. 


This sets the number of times the user can enter the wrong password. The 
Remote Client password is disabled and cannot be used after the 
specified number of failed tries. The default of -1 allows the user to 
reenter an incorrect password indefinitely. 


6. Enter a value between -1 and 16 for the Set Minimum Password 
Length parameter. 


This sets the minimum number of characters for a password. The change 
takes effect the next time the password is set. To increase security, have 
users specify passwords of five or more characters. The default of -1 
means no limit is set. 


7. Press Esc to save your changes. 


Allowing Users to Change Passwords 


You can allow or disallow users to change their passwords. If you allow users 
to change passwords, you can increase password security by requiring them to 
change passwords periodically. More information about allowing users to 
change their passwords is located in the NetWare 5 online documentation at the 
following path: 


Contents > Connectivity Services (under Network Services heading) > Remote 
Access Configuration 


Note The user has a grace login limit of three logins after a password has expired. 
During this grace period, the password must be reset or changed by either the 
user or the administrator. NCS dial-in users can see the number of grace logins 
remaining if their passwords have expired during authentication with the Service 
Selector. 
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The remote access software has Windows tools that enable users to change 
their Remote Client passwords, and it has Windows and Macintosh tools that 
enable users to check for the remaining number of grace logins. Refer to the 
remote access online help for more information. More information about using 
the NetWare Administrator utility to assign and change Remote Client 
passwords is located in the NetWare 5 online documentation at the following 
path: 


Contents > Connectivity Services (under Network Services heading) > Remote 
Access Configuration 


The Service Selector also has a menu option for changing the Remote Client 
password. This option is available to NCS dial-in users or PPP dialers using the 
Terminal Window After Dial-in option. 


Setting Up Implementation-Specific Client-to-Site Configurations 


The Novell VPN client software enables remote clients to connect to a VPN 
server and exchange confidential information without risk. As with site-to-site 
configurations, the information is encrypted and its confidentiality is preserved 
until it reaches the VPN server. This section describes the various options for 
establishing a client-to-site VPN. 


This section contains the following examples: 


° “Using the Client to Dial In to an ISP and Connect to the VPN Server 
over the Internet” on page 65 


° “Using the Client to Dial Directly In to the VPN Server” on page 67 


° “Using the Client to Connect to the VPN Server over a Broadband 
Connection” on page 68 


Using the Client to Dial In to an ISP and Connect to the VPN Server over the Internet 


With this option, the client connects to the VPN server using the Point-to-Point 
Protocol (PPP) through an ISP, as shown in Figure 1-5. Although using an ISP 
connection does not offer guaranteed bandwidth and could be slower than a 
direct dial-in connection, this option has the advantage of being less expensive 
than a direct dial-in connection. In addition to the cost of the phone line, a direct 
dial-in connection requires that you maintain a dial-up server, modems, and 
other related equipment. 
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If your ISP supports PPTP, the VPN client can use the PPTP to access the VPN 
server through an ISP connection. 


Although Figure 1-5 does not show that the VPN server is a member of a site- 
to-site VPN, VPN servers can support both client-to-site and site-to-site 
connections. If the VPN server is part of a site-to-site VPN, the client can also 
access all the other members of the site-to-site VPN and the networks that they 
protect. In addition, the site-to-site connections can be either Internet 
connections or intranet connections. 


Figure 1-5 


VPN Client Using an ISP Connection 
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To set up a VPN client to connect to the VPN server using PPP through an ISP, 
complete the following steps: 


1. 
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Install and configure the VPN client. 


For detailed instructions, refer to Novell BorderManager Enterprise 
Edition 3.5 Installation and Setup. 


Configure the VPN server to support the VPN client. 


For detailed instructions, refer to Novell BorderManager Enterprise 
Edition 3.5 Installation and Setup. 


Configure IP routing on your network so that packets can return to 
the VPN client through the VPN server. 


For additional information, see the BorderManager FAQ at 
support.novell.com/cgi-bin/search/tidfinder.cgi?2949583. If you are 
using the Novell Knowledgebase search function, the TID number is 
2949583. 


Using the Client to Dial Directly In to the VPN Server 


Figure 1-6 


With this option, the client uses PPP to dial directly in to the VPN server, as 
shown in Figure 1-6. Although a direct PPP connection has guaranteed 
bandwidth, it is more expensive and might not be any faster than an ISP 
connection. 


For some remote clients, a direct dial-in connection might be the only option 
available. 


Although Figure 1-6 does not show that the VPN server is a member of a site- 
to-site VPN, VPN servers can support both client-to-site and site-to-site 
connections. If the VPN server is part of a site-to-site VPN, the client can also 
access all the other members of the site-to-site VPN and the networks that they 
protect. In addition, the site-to-site connections can be either Internet 
connections or intranet connections. 
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To set up a VPN client to dial directly in to the VPN server, complete the 
following steps: 


1. Install and configure the VPN client. 


For detailed instructions, refer to Novell BorderManager Enterprise 
Edition 3.5 Installation and Setup. 


2. Configure the remote access software. 


For detailed instructions, refer to the “Setting Up Remote Access on a 
VPN Server to Support Dial-In VPN Clients” on page 47. 


3. Configure the VPN server to support the VPN client. 


For detailed instructions, refer to Novell BorderManager Enterprise 
Edition 3.5 Installation and Setup. 
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Using the Client to Connect to the VPN Server over a Broadband Connection 


With this option, the client accesses the VPN server through an ISP using a 
cable modem, an ADSL device, a LAN connection, or an established dial-up 
connection, as shown in Figure 1-7. If it is available, a broadband connection 
is faster and less expensive than a dial-in connection. 


Although Figure 1-7 does not show that the VPN server is a member of a site- 
to-site VPN, VPN servers can support both client-to-site and site-to-site 
connections. If the VPN server is part of a site-to-site VPN, the client can also 
access all the other members of the site-to-site VPN and the networks that they 
protect. In addition, the site-to-site connections can be either Internet 
connections or intranet connections. 


Figure 1-7 
VPN Client Using a LAN Connection 
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1. Install and set up the VPN client. 


For detailed instructions, refer to Novell BorderManager Enterprise 
Edition 3.5 Installation and Setup. 


2. Set up the VPN server to support the VPN client. 


For detailed instructions, refer to Novell BorderManager Enterprise 
Edition 3.5 Installation and Setup. 
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3. Configure IP routing on your network so that packets can return to 
the VPN client through the VPN server. 


For additional information, see the BorderManager FAQ at 
support.novell.com/cgi-bin/search/tidfinder.cgi?2949583. If you are 
using the Novell Knowledgebase search function, the TID number is 
2949583. 
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chapter 


Managing Virtual Private Networks 


This chapter describes the statistics used to monitor the operation of your 
Novell® BorderManager™ Virtual Private Network (VPN). It contains the 
following procedures: 

° “Checking the Activity of a VPN Server” on page 71 

° “Checking the Audit Log of a VPN Server” on page 78 

° “Checking the VPN Real-Time Monitor” on page 81 


° “Checking the Status of a VPN Client Connection” on page 82 


° “Exporting Data” on page 87 


Checking the Activity of a VPN Server 


Important 


The VPN Member Activity window displays the real-time activity of a selected 
VPN member and its associated VPN tunnel connections for IP or the 
Internetwork Packet Exchange™ (IPX™) software. 


There are two ways to display the VPN activity. If you select a slave server, 
both methods have the same capabilities. If you select the VPN master server, 
the first enables you to view connection information from the perspective of 
any VPN member, while the second enables you to view connection 
information only from the perspective of the master server. 


To view the activity of any VPN server that is also a member of another VPN, 
you must go to the VPN server in your local VPN that is directly connected to 
that server. 
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Displaying the VPN Activity from the VPN Tab 


To display the VPN activity using the first method, complete the following 
steps: 


1. In NetWare® Administrator, double-click a VPN server and select 
the BorderManager Setup page. 


2. Click the VPN tab. 


3. Double-click Master Site-to-Site or Slave Site-to-Site under Enable 
Service. 


4. Click Status. 


For the master server, the screen displays the VPN's synchronization 
status, the progress of the master server updating all slave servers with 
the current VPN topology and encryption information. A server's 
synchronization status can assume one of the following states: 


° Up-to-Date—The server has been configured with the latest 
topology and encryption information. This state does not indicate 
that the server's VPN tunnel connections are up. Use the Activity 
display to determine the status of the VPN tunnel connections. 


° Being Configured—The server has not received the newest 
topology and encryption information from the master server. 


° Being Removed—The server is being removed from the VPN. 


Note Any server state that remains at Being Configured or Being Removed for an 
extended period of time indicates a problem with the master server's ability to 
communicate with that VPN member. If a VPN member has been removed from 
the VPN, its state will remain at Being Removed as long as the master server 
cannot communicate with it. You can remove the VPN member from the 
Synchronization Status list by clicking Free VPN Member. For all other cases, 
view the audit log to troubleshoot the problem. 


5. If you are viewing the status from the master server, click a VPN 
server. 


6. Click Activity. 


° To check the activity between the selected VPN member and an 
associated connection, click the name of the associated connection 
in the Associated Connections window. 
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This updates the IPX Associated Connection Details and the IP 
Associated Connection Details windows, and reflects the VPN 
tunnel activity information for this VPN member. 


° To see the latest activity information, click Update. 


This updates the VPN Associated Connections window with the 
latest activity information. The monitor is automatically updated 
every 10 seconds. 


Displaying VPN Activity from the Tools Menu 


To display VPN activity only from the perspective of the server that you select, 
complete the following steps: 


1. In NetWare Administrator, click the VPN server from whose 
perspective you want to view the activity information. 


2. Select Novell BorderManager from the Tools menu to open the 
Novell® BorderManager™ window. 


3. Right-click Virtual Private Network and select View Member 
Activity/Log from the menu of options to view the VPN Activity 
window. 


The VPN Activity Window 


The following information is contained in the VPN Activity window: 


° VPN Associated Connections—Displays the real-time activity of the 
currently selected VPN member and all associated VPN tunnel 
connections for either protocol (IPX or IP). The activity arrows are 
defined as follows: 


° Green Up-arrow—The encryption tunnel is currently active 
between the selected VPN member and the associated connection. 
This arrow indicates that packets have been received within the last 
35 seconds. 


° Light Blue Up-arrow—The encryption tunnel is currently active 
and packets have been received from 35 to 70 seconds earlier. 
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Yellow Up-arrow—The encryption tunnel is currently active and 
packets have been received at one time, but not in the last 70 
seconds. 


Magenta Up-arrow—The tunnel connection was previously 
established and packets were received, but the connection is 
currently unattached. 


Red Up-arrow—The encryption tunnel is in the process of being 
established. 


Red Down-arrow—The encryption tunnel is currently down 
between the selected VPN member and the associated connection. 
This arrow indicates that no packets were ever received. Check the 
audit log for both VPN members to determine why this encryption 
tunnel is down. 


To view the activity between the selected VPN member and a particular 
associated connection, click the associated VPN member name in the 
VPN Associated Connections list. The IPX Associated Connection 
Details and the IP Associated Connection Details windows are updated 
to reflect the VPN tunnel activity information for this VPN member. 


VPN Tunnel Global Details—Displays the following global VPN 
connection information for the selected VPN member: 


Tunnel Status—Whether the VPN tunnel is currently loaded or 
unloaded. 


Tunnel Time Active—How long the VPN tunnel has been active. 


Successful Client Connects—Total number of times a successful 
connection was made with a VPN client. 


Failed Client Connects—Total number of times an attempt to make 
a connection with a VPN client failed. 


IPX Packets Sent—Total number of encrypted IPX packets sent to 
all VPN members. 


IPX Packets Received—Total number of encrypted IPX packets 
received from all VPN members. 


IP Packets Sent—Total number of encrypted IP packets sent to all 
VPN members. 


IP Packets Received—Total number of encrypted IP packets 
received from all VPN members. 


Total Packets Sent—Total number of IPX and IP packets sent to all 
VPN members. 


Total Packets Received—Total number of IPX and IP packets 
received from all VPN members. 


Total Bytes Sent—Total number of bytes sent to all VPN members. 


Total Bytes Received—Total number of bytes received from all 
VPN members. 


Total Sent Packets Discarded—Total number of outgoing IPX and 
IP packets discarded. 


Total Receive Packets Discarded—Total number of incoming IPX 
and IP packets discarded. 


Associated Connection Details—Displays the following information 
about the tunnel connection between the selected VPN member and the 
associated VPN member: 


Associated Connection—Associated VPN member's server name. 


Associated Address—Associated VPN member's IP address. This 
is the configured public IP address. 


Time to Disconnect—Amount of time left before the Disconnect 
Timeout expires and the VPN tunnel is disconnected if the 
connection remains inactive. 


Send Key Changes—Number of times the outgoing data 
encryption key was changed. 


Receive Key Changes—Number of times the incoming data 
encryption key was changed. 


Total Bytes Sent—Number of bytes of encrypted IPX data sent to 
the associated VPN member. 


Total Bytes Received—Number of bytes of encrypted IPX data 
received from the associated VPN member. 


Sent Packets Discarded—Number of IPX and IP packets sent to 
the associated VPN member that were discarded. 


Receive Packets Discarded—Number of IPX and IP packets 
received from the associated VPN member that were discarded. 
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IPX Associated Connection Details—Displays the following 
information about the IPX tunnel connection between the selected VPN 
member and the associated VPN member: 


Connection State—Current connection state with the associated 
VPN member. The connection states are defined as follows: 


Established—The connection has been established and packets 
have been sent and received. 


Pending—A call has been made, but no packets have been received 
from that member. 


Unattached—The connection has not been made or the WAN call 
terminated after the connection was established. 


Call Direction—Call direction for the associated VPN member. 
The call directions are defined as follows: 


Outgoing—For this connection, the selected VPN member 
initiated the call. 


Incoming—For this connection, the associated VPN member 
initiated the call. 


Time Active—Total amount of time this VPN tunnel connection 
has been active. 


Packets Sent—Number of encrypted IPX packets sent to the 
associated VPN member. 


Packets Received—Number of encrypted IPX packets received 
from the associated VPN member. 


IP Associated Connection Details—Displays the following information 
about the IP tunnel connection between the selected VPN member and 
the associated VPN member: 


Connection State—Current connection state for the associated 
VPN member. The connection states are defined as follows: 


Established—The connection has been established and packets 
have been sent and received. 


Pending—A call has been made, but no packets have been received 
from that member. 


Unattached—The connection has not been made or the WAN call 
terminated after the connection was established. 


° Call Direction—Call direction for the associated VPN member. 
The call directions are defined as follows: 


Outgoing—For this connection, the selected VPN member 
initiated the call. 


Incoming—For this connection, the associated VPN member 
initiated the call. 


° Time Active—Total amount of time this VPN tunnel connection 
has been active. 


° Packets Sent—Number of encrypted IP packets sent to the 
associated VPN member. 


° Packets Received—Number of encrypted IP packets received from 
the associated VPN member. 


To view the latest activity information, click Update. The VPN Associated 


Connections window is refreshed with the latest activity information. The 
monitor automatically refreshes every 10 seconds. 


The Security Window 


To view the encryption and authentication key parameters, click Security. The 
following information is contained in the Security window: 


° Global Packets Per Key Change—Number of packets sent or received 
that will cause the data encryption key to change. 


° Key Management—Protocol used for key management. Currently, only 
SKIP is supported. 


° Send Encryption Type—Outgoing data encryption algorithm used. 
° Receive Encryption Type—Incoming data encryption algorithm used. 
° Encryption Send Key Size—Outgoing data encryption key length in bits. 


° Encryption Receive Key Size—Incoming data encryption key length in 
bits. 


° Send Authentication Type—Outgoing data authentication algorithm 
used. 
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Receive Authentication Type—Incoming data authentication algorithm 
used. 


Authentication Send Key Size—Outgoing data authentication key length 
in bits. 


Authentication Receive Key Size—Incoming data authentication key 
length in bits. 


Checking the Audit Log of a VPN Server 


The VPN audit log enables you to view audit log messages generated by a VPN 
server. You can also view a detailed explanation of any message. 


There are two ways to display the VPN audit log. Both methods have the same 
capabilities. Using either method from the master server, you can view the 
audit log of any slave server. 


Important You cannot view the audit log of any VPN server that is also a member of 
another VPN. You can view the audit log of only those VPN servers that are 
exclusively members of your local VPN. 


To display a VPN audit log using the first method, complete the following 


steps: 


1. 
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In NetWare® Administrator, double-click a VPN server and select 
the BorderManager Setup page. 


Click the VPN tab. 


Double-click Master Site-to-Site or Slave Site-to-Site under Enable 
Service. 


If you selected Master Site-to-Site, select a VPN member. 
Click Status. 


Click a VPN server, then click Audit Log. 


To display a VPN audit log using the second method, complete the following 


steps: 


1. 


In NetWare Administrator, click a VPN server whose audit log 
information you want to view. 


Select Novell BorderManager from the Tools menu to open the 
Novell® BorderManager™ window. 


Right-click Virtual Private Network and select View Member 
Activity/Log from the menu of options to view the VPN Audit Log 
window. 


The Audit Log window is under the VPN Activity window. 


Do one of the following: 


° To view the audit log for the selected VPN member, click Acquire. 


The latest audit log messages in the database are displayed. Only 
ten messages are visible at a time, with the most current (latest time 
stamp) message displayed first. Use the scroll bar or PageDown 
key to see earlier messages. By default, the latest 100 messages in 
the audit log database are acquired at a time. 


° To acquire the next set of audit log messages for the selected VPN 
member, click More. 


The next 100 messages in the database are displayed. Because only 
ten messages are visible at a time, use the scroll bar or PageDown 
key to see the rest. The More button is not available if no more 
audit log messages are in the database. The More button does not 
emulate the screen settings. Changes made to the audit log controls 
take effect after you click Acquire. Only then does the More button 
use the current settings. 


° To change the number of message entries to acquire at any one 
time, click the Up-arrow or Down-arrow in the Phase Entries 
control box. 


The new Phase Entries value is the number of audit log messages 
acquired the next time you click Acquire. 


° To view additional information about a particular message, double- 


click the message or click Details. 
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An explanation of the message is displayed. If the message is an 
error message, it also explains how to solve the problem. 


The VPN Audit Log Window 


The following information is contained in the VPN Audit Log window: 
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Audit Log Provider—Allows you to choose which VPN software 
components will have their messages displayed. 


Selection Type—Allows you to choose which audit log message types to 
display. 


Audit Log Enable—Allows you to enable or disable the VPN audit log 
feature of the selected VPN member. 


If the check box is not selected, the VPN member stops saving VPN error 
and informational messages to the audit log database. This control 
feature takes effect only after you click Acquire. 


Audit Log Start and Audit Log End— Specifies a range of audit log 
messages to view based on date and time. The Audit Log End field 
specifies the most recent VPN messages saved in the audit log database. 
The Audit Log Start field specifies the earliest VPN messages saved in 
the audit log database. Use the Valid Audit Log Range group box to set 
the current range of the VPN audit log messages for the selected VPN 
member. Use the Up-arrow and Down-arrow to change the date and time 
for both controls. 


Audit Log Progress—Indicates the current progress of the audit log 
retrieval according to the defined settings. 


Audit Log Messages—Displays the audit log messages for each VPN 
member. 


Each message includes a time stamp indicating when the message was 
generated and the message type. There are four types of audit log 
messages: VPN Control, VPN Tunnel, SKIP, and IPSEC. VPN Control 
messages correspond to the VPN autoconfiguration process. VPN 
Tunnel messages correspond to the encryption tunnels established 
between VPN members. SKIP and IPSEC messages correspond to those 
two security protocols. Each audit log type is also categorized as either 
an error message or an informational message. The following types of 
messages are displayed: 


° Green T—Informational messages for VPN Tunnel. 


° Green C—Informational messages for VPN Control. 
° Green S—Informational messages for SKIP. 
° Green IP—Informational messages for IPSEC. 


° Red T—Error messages for VPN Tunnel. 
° Red C—Error messages for VPN Control. 
° Red S—Error messages for SKIP. 


° Red IP—Error messages for IPSEC. 


Checking the VPN Real-Time Monitor 


The VPN Monitor window displays the real-time activity of a selected VPN 
member and its associated VPN tunnel connections for IPX or IP. 


To display the VPN Monitor window, complete the following steps: 


1. In NetWare® Administrator, click the VPN server from whose 
perspective you want to view the monitor information. 


2. Select Novell BorderManager from the Tools menu to open the 
Novell® BorderManager™ window. 


3. Right-click Virtual Private Network and select Monitor Real-Time 
Activity from the menu of options to view the VPN Monitor window. 


The VPN Monitor Window 


The following information is contained in the VPN Monitor window: 

° Active Connections—Number of currently active VPN connections. 
° Remote Site—Location and ID of the remote VPN site. 

° Connection ID—Connection ID for the VPN member. 


° Connection Type—Whether the connection is for a dial-in client, LAN 
client, server, or third party. 
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° Bytes Sent—Number of bytes of encrypted data sent to the associated 
VPN member. 


° Bytes Received—Number of bytes of encrypted data received from the 
associated VPN member. 


° Duration—Total amount of time that the VPN tunnel connection has 
been active. 


° Encryption Type—Type of data encryption algorithm being used. 

° Key Size—Data encryption key length in bits. 

° Key Lifetime—Duration of the current data encryption key. 

° Key Changes—Number of times the data encryption key was changed. 


° IP Packets Sent—Number of encrypted IP packets sent to all VPN 
members. 


° IP Packets Received—Number of encrypted IP packets received from all 
VPN members. 


° IPX Packets Sent—Number of encrypted IPX packets sent to all VPN 
members. 


° IPX Packets Received—Number of encrypted IPX packets received 
from all VPN members. 


° Authentication Type—Type of data authentication algorithm being used. 
° Authentication Key Size—Data authentication key length in bits. 


° Key Management Type—Protocol used for key management. Currently, 
only SKIP is supported. 


Checking the Status of a VPN Client Connection 


The VPN Status and VPN Statistics windows for VPN clients enable you to 
determine whether the client has established a connection with a VPN server 
and to monitor the activity over an established connection. 
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To check the status of a VPN client connection, complete the following steps: 


1. After a VPN client connection has been initiated, click the VPN 
Status tab in the VPN Login dialog box. 


This window displays the progress of the VPN client connection. 


After the connection is established, the VPN Statistics icon is displayed 
in the task bar. Click on the icon to view the VPN statistics. The icon is 
available until the connection is closed. 


2. To minimize the VPN Statistics window, click OK 


3. To terminate the VPN connection, click Disconnect. 


On Windows NT* systems, you must terminate your dial-up VPN 
connection from this window. If you terminate your dial-up connection 
using Windows NT’s Dial-Up Monitor, your VPN connection is 
maintained by the VPN server until the connection times out. This open 
connection cannot be used by other VPN clients and is not a security risk. 
However, an open connection reduces the amount of resources available 
to the server for VPN clients. 


The VPN Client Status Window 


The following information is contained in the VPN client Status window: 


° Server Address—IP address of the VPN server to which the client is 
connected. 


° Local Address—IP address of the VPN client. 
° Server icon—Name of the VPN server to which the client is connected. 


° Tree icon—Name of the NDS™ tree that contains the VPN server to 
which the client is connected. 


° Status 


° Key Management—Protocol used for key management. Currently, 
only SKIP is supported. 


° Encryption Type—Data encryption algorithm used by the VPN 
connection. 
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Authentication Type—Data authentication algorithm used by the 
VPN connection. 


Encryption Key Size—Data encryption key length in bits. 


Authentication Key Size—Data authentication key length in bits. 


Progress 


Dial-Up Complete—When checked, the dial-up connection to the 
VPN server has been established. 


Authenticated NetWare User—When checked, the VPN 
Authentication has been completed. 


Enabled IP Encryption—When checked, the encrypted tunnel has 
been established for IP packets. 


Enabled IPX Encryption—When checked, the encrypted tunnel 
has been established for IPX packets. 


Performing NetWare Login—When checked, you have been 
successfully logged in to NetWare®. 


The VPN Client Statistics Window 


The following information is contained in the VPN client Statistics window: 
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VPN State 


Server IP Address—IP address of the VPN server to which the 
client is connected. 


Local IP Address—IP address of the VPN client. 


Time Active—Amount of time the connection between the VPN 
client and server has been active. 


Key Management—Protocol used for key management. Currently, 
only SKIP is supported. 


Encryption Type—Data encryption algorithm used by the VPN 
connection. 


Authentication Type—Data authentication algorithm used by the 
VPN connection. 


Encryption Key Size—Data encryption key length in bits. 


Note 


° Authentication Key Size—Data authentication key length in bits. 


° IP Encryption Enabled—Whether the VPN tunnel has been 
configured to encrypt IP packets. 


° IPX Encryption Enabled—Whether the VPN tunnel has been 
configured to encrypt IPX packets. 


. Disconnect Timeout—Amount of time the VPN tunnel can remain 
inactive before it is disconnected. 


° Time to Disconnect—Amount of time remaining before the VPN 
tunnel is disconnected if no activity occurs. 


° VPN Transfer 


° IPX Encrypted Packets Sent—Number of encrypted IPX packets 
sent from the VPN client on this connection. 


° IPX Encrypted Packets Received—Number of encrypted IPX 
packets received by the VPN client on this connection. 


° IP Encrypted Packets Sent—Number of encrypted IP packets sent 
from the VPN client on this connection. 


° IP Encrypted Packets Received—Number of encrypted IP packets 
received by the VPN client on this connection. 


° Unencrypted Packets Sent—Number of unencrypted packets sent 
from the VPN client on this connection. 


Even if the VPN client has been configured to encrypt all networks, the number 
of unencrypted packets sent or received might be a nonzero value. Unencrypted 
packets are used to bring up the encrypted tunnel itself. Although the packets 
are not encrypted using IPSEC, their contents are protected using Novell's 
proprietary protocol and encryption methods. The number of unencrypted 
packets should be less than 10 and should not increase after the tunnel has 
been established. If the value continues to increase, make sure that no other 
path from the protected network to the VPN client is shorter than the path 
through the tunnel. A shorter path can exist if another server on the protected 
network has a connection to the Internet. The number of unencrypted packets 
received is also increased by the receipt of broadcast packets from the Internet, 
such as BOOTP broadcast packets sent to clients. 


° Unencrypted Packets Received—Number of unencrypted packets 
received by the VPN client on this connection. 
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The More Window 


° Sent Packets Discarded—Number of IPX and IP packets sent from 
the VPN client on this connection that were discarded. The packets 
are sent by applications after the connection is established, but 
before the encrypted tunnel is brought up. 


° Receive Packets Discarded—Number of IPX and IP packets 
received by the VPN client on this connection that were discarded. 
A nonzero value probably indicates decryption errors. Check the 
integrity of the line if a high value is displayed. 


° Total Packets Sent—Total number of IPX and IP packets sent from 
the VPN client on this connection. 


° Total Packets Received—Total number of IPX and IP packets 
received by the VPN client on this connection. 


° Total Bytes Sent—Total number of bytes sent from the VPN client 
on this connection. 


° Total Bytes Received—Total number of bytes received by the VPN 
client on this connection. 


The following information is contained in the VPN client More window: 
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Server icon—Name of the VPN server to which the client is connected. 


Tree icon—Name of the NDS tree that contains the VPN server to which 
the client is connected. 


User Name—Client's NDS username. 
Context—Client's NDS context. 


Baud Rate—Speed at which the dial-up connection between the VPN 
client and Internet Service Provider (ISP) or VPN server is running. 


Protected IP Networks—Local IP networks or host addresses that can 
exchange encrypted data across the VPN. 


Exporting Data 


The VPN audit log is stored in a Btrieve* file on the Novell® BorderManager™ 
server and is maintained by CSAUDIT.NLM. The audit log cannot be edited or 
manipulated from the server; however, the data can be exported for analysis. 
The format of the exported data is compatible with popular trend analysis 
software packages, such as WebTrends*. 


To export the VPN audit log, complete the following steps: 


1. 


In NetWare® Administrator, click the Server object representing the 
BorderManager server. 


Select Novell BorderManager from the Tools menu. 
From the BorderManager menu, select Export Logs. 


Click Set Range and enter the date range. 


This is the range of dates comparable to the dates used to display records 
in the VPN Users Statistics window. The default range is the current 
server date. 


Click Browse to select the drive mapped to the destination for the 
export file. 


This is the path and filename for the export file. The default destination 
is A\Y YYYMMDD.LOG, where YYYY is the current year, MM is the 
current month, and DD is the current day. If you change the filename 
from the default format, the filename will not reflect the current server 
date. For example, if you change the filename format to 
MMDDYYYY.LOG, the next time you try to export logs on another day, 
the log filename will not have incremented to the current date. 


(Optional) If the default filename is unacceptable, enter a new 
filename in the File field. 


(Optional) If you want to combine the VPN audit log with audit logs 
from other BorderManager services, check the Combine Log Files 
check box. 


This feature allows log files from different BorderManager services to be 
combined into a single output file. When log files are combined, they are 
appended to one file, service by service. 
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8. Under Log Selection, check the VPN check box. 


9. (Optional) If you checked Combine Log Files in Step 8, under Log 
Selection, check all other BorderManager audit log files to be 
combined with the VPN audit log file. 


10. Click OK. 


The audit log is exported to an ASCII file. VPN audit log entries are messages 
created by various processes and do not follow a fixed format. The messages 
will be copied to the export file without change. 


If the Combine Log Files feature is not selected and you select one or more 
services under the Log Selection field, a separate export file is created for each 
service under a subdirectory of the export destination path. 


The export subdirectories used are shown in the following table. 





Log Type 
HTTP Proxy 
FTP Proxy 
NNTP Proxy 
Mail Proxy 


RealAudio* and Real Time Streaming 
Protocol (RTSP) Proxies 


DNS Proxy 
Generic Proxy 
SOCKS Client 


IPX Gateway 
(Novell IP Gateway) 


VPN 


ACL 
(access control) 


Export Subdirectory 
HTTP 

FTP 

NNTP 

SMTP 


RAUDIO 


DNS 
GENERIC 
SOCKS 


IPXGW 


VPN 


ACL 
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For example, if you specified an export destination of 
VOL1:LOGS\19981019.LOG, did not select the Combine Log Files feature, 
and checked the boxes for HTTP proxy, FTP proxy, and VPN, the following 
logs would result: 

e  VOL1:LOGS\HTTP\19981019.LOG 

e VOL1:LOGS\FTP\19981019.LOG 


e  VOL1:LOGS\VPN\19981019.LOG 
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